b46feecfc63376a8afd00514d516faa87fd46fa472f11e2f8be8bac29b47ca74

Analysis

max time kernel
150s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 19:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
Size

16.5MB
MD5

0c724577d25a43dc8871864f016e0ac1
SHA1

1647a47076f0aa128386fc49c53099a83940504d
SHA256

b46feecfc63376a8afd00514d516faa87fd46fa472f11e2f8be8bac29b47ca74
SHA512

819e08cf0858721adc6498369f8b6ae472f4a85c99e56ae275d4aa255cbe8c9a55c97840881e12aa4a6215fb9ba1742807d01158423d9905ebf2f553651c6af4
SSDEEP

393216:nvBGFZjC0mmzdHfXi1G5SnvOXqlMpgDpn2a+jsxIDiYz:52pCFEfi1G502cMq9l9xIGo

Score

9^/10

discovery execution upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 22 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023469-185.dat	UPX
behavioral2/files/0x0007000000023468-199.dat	UPX
behavioral2/files/0x0007000000023484-208.dat	UPX
behavioral2/memory/3736-210-0x0000000072C60000-0x0000000072D5D000-memory.dmp	UPX
behavioral2/memory/3736-216-0x0000000072740000-0x0000000072B04000-memory.dmp	UPX
behavioral2/memory/3736-215-0x0000000072B10000-0x0000000072C2C000-memory.dmp	UPX
behavioral2/memory/2348-232-0x0000000072C60000-0x0000000072D5D000-memory.dmp	UPX
behavioral2/memory/2348-233-0x0000000072B10000-0x0000000072C2C000-memory.dmp	UPX
behavioral2/memory/2348-245-0x0000000072740000-0x0000000072B04000-memory.dmp	UPX
behavioral2/memory/3736-329-0x0000000072B10000-0x0000000072C2C000-memory.dmp	UPX
behavioral2/memory/2348-331-0x0000000072C60000-0x0000000072D5D000-memory.dmp	UPX
behavioral2/memory/2348-332-0x0000000072B10000-0x0000000072C2C000-memory.dmp	UPX
behavioral2/memory/3736-330-0x0000000072740000-0x0000000072B04000-memory.dmp	UPX
behavioral2/memory/3736-328-0x0000000072C60000-0x0000000072D5D000-memory.dmp	UPX
behavioral2/memory/2348-333-0x0000000072740000-0x0000000072B04000-memory.dmp	UPX
behavioral2/memory/3736-352-0x0000000072C60000-0x0000000072D5D000-memory.dmp	UPX
behavioral2/files/0x0007000000023465-359.dat	UPX
behavioral2/files/0x000700000002346b-363.dat	UPX
behavioral2/files/0x0007000000023467-361.dat	UPX
behavioral2/memory/3736-383-0x0000000072B10000-0x0000000072C2C000-memory.dmp	UPX
behavioral2/memory/3736-384-0x0000000072740000-0x0000000072B04000-memory.dmp	UPX
behavioral2/memory/3736-382-0x0000000072C60000-0x0000000072D5D000-memory.dmp	UPX

ACProtect 1.3x - 1.4x DLL software 6 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023469-185.dat	acprotect
behavioral2/files/0x0007000000023468-199.dat	acprotect
behavioral2/files/0x0007000000023484-208.dat	acprotect
behavioral2/files/0x0007000000023465-359.dat	acprotect
behavioral2/files/0x000700000002346b-363.dat	acprotect
behavioral2/files/0x0007000000023467-361.dat	acprotect

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023469-185.dat	upx
behavioral2/files/0x0007000000023468-199.dat	upx
behavioral2/files/0x0007000000023484-208.dat	upx
behavioral2/memory/3736-210-0x0000000072C60000-0x0000000072D5D000-memory.dmp	upx
behavioral2/memory/3736-216-0x0000000072740000-0x0000000072B04000-memory.dmp	upx
behavioral2/memory/3736-215-0x0000000072B10000-0x0000000072C2C000-memory.dmp	upx
behavioral2/memory/2348-232-0x0000000072C60000-0x0000000072D5D000-memory.dmp	upx
behavioral2/memory/2348-233-0x0000000072B10000-0x0000000072C2C000-memory.dmp	upx
behavioral2/memory/2348-245-0x0000000072740000-0x0000000072B04000-memory.dmp	upx
behavioral2/memory/3736-329-0x0000000072B10000-0x0000000072C2C000-memory.dmp	upx
behavioral2/memory/2348-331-0x0000000072C60000-0x0000000072D5D000-memory.dmp	upx
behavioral2/memory/2348-332-0x0000000072B10000-0x0000000072C2C000-memory.dmp	upx
behavioral2/memory/3736-330-0x0000000072740000-0x0000000072B04000-memory.dmp	upx
behavioral2/memory/3736-328-0x0000000072C60000-0x0000000072D5D000-memory.dmp	upx
behavioral2/memory/2348-333-0x0000000072740000-0x0000000072B04000-memory.dmp	upx
behavioral2/memory/3736-352-0x0000000072C60000-0x0000000072D5D000-memory.dmp	upx
behavioral2/files/0x0007000000023465-359.dat	upx
behavioral2/files/0x000700000002346b-363.dat	upx
behavioral2/files/0x0007000000023467-361.dat	upx
behavioral2/memory/3736-383-0x0000000072B10000-0x0000000072C2C000-memory.dmp	upx
behavioral2/memory/3736-384-0x0000000072740000-0x0000000072B04000-memory.dmp	upx
behavioral2/memory/3736-382-0x0000000072C60000-0x0000000072D5D000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	SRManagerSOS.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe

Executes dropped EXE 7 IoCs

pid	Process
2456	Launcher.exe
3736	SRManagerSOS.exe
1444	SRServerSOS.exe
2348	SRAgentSOS.exe
2552	SRAppPBSOS.exe
3592	SRFeatureSOS.exe
888	SRUtilitySOS.exe

Loads dropped DLL 12 IoCs

pid	Process
3736	SRManagerSOS.exe
3736	SRManagerSOS.exe
3736	SRManagerSOS.exe
3736	SRManagerSOS.exe
1444	SRServerSOS.exe
2348	SRAgentSOS.exe
2348	SRAgentSOS.exe
2348	SRAgentSOS.exe
2348	SRAgentSOS.exe
3592	SRFeatureSOS.exe
3592	SRFeatureSOS.exe
3592	SRFeatureSOS.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4512	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	SRAgentSOS.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	SRAgentSOS.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	SRAgentSOS.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SRAgentSOS.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	SRAgentSOS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	SRAgentSOS.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1076	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	SRManagerSOS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
3736	SRManagerSOS.exe
3736	SRManagerSOS.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
3736	SRManagerSOS.exe
3736	SRManagerSOS.exe
3736	SRManagerSOS.exe
3736	SRManagerSOS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2348	SRAgentSOS.exe
Token: SeDebugPrivilege	4512	powershell.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
1444	SRServerSOS.exe
1444	SRServerSOS.exe
2552	SRAppPBSOS.exe
2552	SRAppPBSOS.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 3900	216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe	86
PID 216 wrote to memory of 3900	216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe	86
PID 3900 wrote to memory of 2468	3900	cmd.exe	88
PID 3900 wrote to memory of 2468	3900	cmd.exe	88
PID 216 wrote to memory of 4460	216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe	90
PID 216 wrote to memory of 4460	216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe	90
PID 4460 wrote to memory of 1076	4460	cmd.exe	92
PID 4460 wrote to memory of 1076	4460	cmd.exe	92
PID 216 wrote to memory of 1980	216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe	93
PID 216 wrote to memory of 1980	216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe	93
PID 1980 wrote to memory of 2304	1980	cmd.exe	95
PID 1980 wrote to memory of 2304	1980	cmd.exe	95
PID 216 wrote to memory of 3968	216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe	96
PID 216 wrote to memory of 3968	216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe	96
PID 3968 wrote to memory of 1108	3968	cmd.exe	98
PID 3968 wrote to memory of 1108	3968	cmd.exe	98
PID 216 wrote to memory of 2792	216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe	101
PID 216 wrote to memory of 2792	216	2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe	101
PID 2792 wrote to memory of 592	2792	cmd.exe	103
PID 2792 wrote to memory of 592	2792	cmd.exe	103
PID 2456 wrote to memory of 3736	2456	Launcher.exe	104
PID 2456 wrote to memory of 3736	2456	Launcher.exe	104
PID 2456 wrote to memory of 3736	2456	Launcher.exe	104
PID 3736 wrote to memory of 1444	3736	SRManagerSOS.exe	107
PID 3736 wrote to memory of 1444	3736	SRManagerSOS.exe	107
PID 3736 wrote to memory of 1444	3736	SRManagerSOS.exe	107
PID 3736 wrote to memory of 2348	3736	SRManagerSOS.exe	108
PID 3736 wrote to memory of 2348	3736	SRManagerSOS.exe	108
PID 3736 wrote to memory of 2348	3736	SRManagerSOS.exe	108
PID 3736 wrote to memory of 2552	3736	SRManagerSOS.exe	109
PID 3736 wrote to memory of 2552	3736	SRManagerSOS.exe	109
PID 3736 wrote to memory of 2552	3736	SRManagerSOS.exe	109
PID 3736 wrote to memory of 3592	3736	SRManagerSOS.exe	113
PID 3736 wrote to memory of 3592	3736	SRManagerSOS.exe	113
PID 3736 wrote to memory of 3592	3736	SRManagerSOS.exe	113
PID 3592 wrote to memory of 888	3592	SRFeatureSOS.exe	114
PID 3592 wrote to memory of 888	3592	SRFeatureSOS.exe	114
PID 3592 wrote to memory of 888	3592	SRFeatureSOS.exe	114
PID 2348 wrote to memory of 3336	2348	SRAgentSOS.exe	117
PID 2348 wrote to memory of 3336	2348	SRAgentSOS.exe	117
PID 2348 wrote to memory of 3336	2348	SRAgentSOS.exe	117
PID 2348 wrote to memory of 2968	2348	SRAgentSOS.exe	123
PID 2348 wrote to memory of 2968	2348	SRAgentSOS.exe	123
PID 2348 wrote to memory of 2968	2348	SRAgentSOS.exe	123
PID 2968 wrote to memory of 2096	2968	cmd.exe	125
PID 2968 wrote to memory of 2096	2968	cmd.exe	125
PID 2968 wrote to memory of 4512	2968	cmd.exe	126
PID 2968 wrote to memory of 4512	2968	cmd.exe	126
PID 2968 wrote to memory of 4512	2968	cmd.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_0c724577d25a43dc8871864f016e0ac1_icedid.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:216
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c C:\Windows\system32\expand.exe *.cab /f:* .\
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Windows\system32\expand.exe
    C:\Windows\system32\expand.exe *.cab /f:* .\
    3⤵
    - Drops file in Windows directory
    PID:2468
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Windows\system32\schtasks.exe
    schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1
    3⤵
    - Creates scheduled task(s)
    PID:1076
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "
    3⤵
    PID:2304
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c schtasks /run /tn ASOS1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Windows\system32\schtasks.exe
    schtasks /run /tn ASOS1
    3⤵
    PID:1108
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c schtasks /delete /f /tn ASOS1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /f /tn ASOS1
    3⤵
    PID:592

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe SRManagerSOS.exe 1
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
  "SRManagerSOS.exe"
  2⤵
  - Drops file in System32 directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3736
- - C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe
    SRServerSOS.exe -s
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1444
- - C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
    "C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks SCSI registry key(s)
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\Temp\bd2_request_433b41c9d830.bat
      4⤵
      PID:3336
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c chcp 65001&&powershell.exe -Command "$Session = New-Object -ComObject Microsoft.Update.Session;$Searcher = $Session.CreateUpdateSearcher();$Res = $Searcher.search(\"IsInstalled = 0 And DeploymentAction=*\");$array = @();foreach($update in $Res.Updates) {$line = \"\" | select kbid, title, desc, updateId, category, severity, important, eulaAccepted, maxSize, minSize, type, releaseDate, rebootRequired;$line.title = $update.Title;$line.desc = $update.Description;$line.updateId = $update.Identity.UpdateID;$line.category = \"\";foreach($category in $update.Categories) { $line.category += \"$($category.CategoryID),\" };$line.kbid = $update.KBArticleIDs -join ' ';$line.severity = $update.MsrcSeverity;$line.important = $update.AutoSelectOnWebSites;$line.eulaAccepted = $update.EulaAccepted;$line.maxSize = $update.MaxDownloadSize;$line.minSize = $update.MinDownloadSize;$line.type = $update.Type;$line.releaseDate = $update.LastDeploymentChangeTime.toString(\"yyyy:MM:dd hh:mm:ss\");$line.rebootRequired = $update.RebootRequired;$array += $line;};ConvertTo-Json $array;"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2096
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -Command "$Session = New-Object -ComObject Microsoft.Update.Session;$Searcher = $Session.CreateUpdateSearcher();$Res = $Searcher.search(\"IsInstalled = 0 And DeploymentAction=*\");$array = @();foreach($update in $Res.Updates) {$line = \"\" | select kbid, title, desc, updateId, category, severity, important, eulaAccepted, maxSize, minSize, type, releaseDate, rebootRequired;$line.title = $update.Title;$line.desc = $update.Description;$line.updateId = $update.Identity.UpdateID;$line.category = \"\";foreach($category in $update.Categories) { $line.category += \"$($category.CategoryID),\" };$line.kbid = $update.KBArticleIDs -join ' ';$line.severity = $update.MsrcSeverity;$line.important = $update.AutoSelectOnWebSites;$line.eulaAccepted = $update.EulaAccepted;$line.maxSize = $update.MaxDownloadSize;$line.minSize = $update.MinDownloadSize;$line.type = $update.Type;$line.releaseDate = $update.LastDeploymentChangeTime.toString(\"yyyy:MM:dd hh:mm:ss\");$line.rebootRequired = $update.RebootRequired;$array += $line;};ConvertTo-Json $array;"
        5⤵
        Drops file in System32 directory
        Command and Scripting Interpreter: PowerShell
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:4512
- - C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe
    "C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2552
- - C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe
    "C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3592
  - - C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe
      SRUtilitySOS.exe -r
      4⤵
      Executes dropped EXE
      PID:888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\splashtop\sos\01_sysinfo.txt

Filesize
433B

MD5
913f6914ba5850c35968d40cd14fb484

SHA1
12a07516c93a06e273afaf59c2dce36f9daf945d

SHA256
2052e250dea3275d5713a3c129371e10607f3c2961ed46d7cb99f7ba99cf68c6

SHA512
5c048f97816d8952cca0fbe0e4cf310421f4b5b41a06f0a58008fccc335a9a5a7555fad2bba3254ddacd3cceb6e09f97751902828485eb9644fc376fc7c207d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpack1.log

Filesize
2KB

MD5
be485356737469fd51c7bcefbeae8028

SHA1
28f54dfa3af3be50062544841baabbe7b177156e

SHA256
49ff826095b825c281da5665f97bbacf8395fc457f6adb88500567e15bf48a9d

SHA512
3cda98819b72862ad81fea273800708f2a7db2f87c195d4064223abde8c5b15498259ae7ca134654d79c797c73df795b8d25a8ee2fdf9b5ce59756ce40b12370

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpack1.log

Filesize
4KB

MD5
44022010f31fcfa9372ccad2d18096ff

SHA1
f20df7edb54b20e0c151f1956a3ccf9d98ea3f91

SHA256
3d4d982a81c9fbd6d81afe1ed0fa1ad761c87b1bc46dc78881d3953bd1ac59d9

SHA512
6648f99d25512025c52409c5123fd5c2621f82ea31d33561d22e22e1aa33800901521b247659aa4bc6a2da72fcc511b67338e7dc6e2ee99ce988f3c6f313f8d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.cloudbuild.check

Filesize
398B

MD5
1081737a98e21a9b68ae889f973adc49

SHA1
8f9cf4ced13f1447c3b6202c3735506997ace574

SHA256
8bfd56a9b7224351f060963763309e8d26e446a05a27a959bcfe7fb3cd6f0b69

SHA512
18bcffc158ffacca4c496f9ecc8562e7243414f1c9824057cd85953f7954a960c48d4e323a457f99e61568ca94bbcd47e38f234c5f9cc40649a9d7d75c19d903

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.cloudbuild.check.rsa

Filesize
256B

MD5
e932b85e2ecb9e60b86c94d30b9d7ec0

SHA1
fd37825ccbc8811664eb64a2ec1784a63ec2ddbe

SHA256
68b87404e7a0ee98ccac0a0f99a47dd8bb4f2ac28f0cfa3420081d8342f9808e

SHA512
6ed68fe1e126975e63952a2cff946bfd13b36f4bade8c6ca9d6499926c0035bea7e52d4d03db8bb04185095966bfdd5aad5c862c2dc42ce7b09b6942beebd4d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.config.json

Filesize
306B

MD5
44e206f5fab6e11b095bb0b396367f96

SHA1
363ef0bbb7b20a47f484bb6bad38747dffb24ecb

SHA256
496fbc5242aa7d98b4ebae5c9b74efa56ed0200b9b70ec6a307f7272d5dad315

SHA512
4906e5d9aad73f220d3e0302625cf1770f2bfe5165fa8b292024457a0f42cd88860a068f1a89383956a7846751848673b3d9eef55588ac5e9bb93e3c6c394eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.init_setting.ini

Filesize
149B

MD5
bcfe7bce1a9fa5807ceefc6db0cd37db

SHA1
227f259179891bf01efa5ba669c1041a1f1979a9

SHA256
08e90f22b4bdf45533fa5d4ba25b7d25aeba216478dbaabfd6c82863808c59c9

SHA512
4416827c8e85ca65c0d2022a6bb3718a0c2be4f8280be591121ad597905e7328971055f775bbf984b9ce7c7f1b4da0811c5dddb66b3e879a511f97d25d25c966

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.splashtop.sostheme

Filesize
13KB

MD5
2650d0c74c7284eb1e550ea0e8b2ee32

SHA1
0f87b0d758143b5c5e6b3cfc0b8bd1898937b64a

SHA256
e8a389afe6f208caf2580a504ff1c2aa1aa88334600a30786334ad08e421033f

SHA512
0fae411c141fce662af72049197aa8f901a874a27de56d2db9daf0245c12a36206c2b8a88c0678a441d07c7f00e14b8b82ea2582cb7e7992677ed9cc37d59f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\ASOS.xml

Filesize
2KB

MD5
8ce869f7dbbb2e38c8de76716e49b8a5

SHA1
de73a6b80fca67b06a7e1fec1904095d61b7b864

SHA256
1008bce6f93a3863164b0fea34bea07bd6ce304dffafac5615dc52bbb675bd47

SHA512
98afa1fe513beb31bca44e56fe40f0a049d3bb0ccc7cf4997b8fb2631774131c7232072e733674a3ed6771201d53788e94d595e8254a5ffc4d6cc45ff93417af

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Acknowledgements.htm

Filesize
154KB

MD5
ab3d7c0401590bbdaf4b3c84592d24d6

SHA1
756f86b49ca2035638f77bbeb60cfe6a827b553e

SHA256
4428a8b3f1a63312918ff5f8e1d5ee1f6eeba9d73a336721338d494d2b6e5f6c

SHA512
24aac8d02347ef3e226531ca15b71714cb53546c7aa1b4d961a72e097c3528ae2590b00ecbaa7e80815e99fafb6919d234e957dfcd08467cd753b24c004b6124

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe

Filesize
184KB

MD5
2def326d4f3ad50a7abb0f20944405fc

SHA1
c99b7a01019992e4180a5a9d67a8f30a5bda46d7

SHA256
ed259409860bc916cc26af1fcb8de0fb455607dd1056d3e530c29614435c3092

SHA512
43bf3d1958d1bb1bbeecfff70ca7309509af2ec346763e92521c128b786ce8c6063a5339693ad129966965d926107eaeddc9de9abd9bf0c2580bd3ec2ab3ceb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\QuicServer.cert

Filesize
920B

MD5
2514dd7f278b03c97adba8c9670c5a80

SHA1
b536da4c2409d88de4c9b0b6bd6612791093b643

SHA256
f8b43391b91b75187c79e21ae38ac007aeaa33fdf3cff29a118e33f45babb723

SHA512
cae368dd97f5a053ca8d0ce2df45661c972838ba66730409ab688d2db72b3c07ff2b10493bbc004dbe304875665334e34999108ef2ff94ef09706fba12588664

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\QuicServer.key

Filesize
1KB

MD5
119ac9a28d3b242830405c63d033b60b

SHA1
d5e178c565078a87e014a8766a88bbcd262c2308

SHA256
31de8b799f35e156740c0ff6ce5db22953f6d54d621e9565e95e8409ac37ec54

SHA512
7196ea427a707e2a68cf5a5a051c230efa98696f0427801d608ddd0ad336c8d3ef71c41deec6161acd2ee2e504a62434e0f2f7726c6f85c0c126042306b754c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe

Filesize
2.0MB

MD5
fb8af7753cb2a3583d8e5372e295f04d

SHA1
f232d9b86386399a5cf43a4e3247c22ef18b85c6

SHA256
bbc7e13444052825b3ae254c0f4e18660df1a954840a68e37eb70a9e37acf461

SHA512
8a5e8a2e91f4ab94596fa0f57a5d9b61f9e15b8127e84692eedff9e09ab1bc9d2611bc58fca70635ceb2f4b1bffc2c0f0431f61bfbecadfc0dfca7fda0aa5923

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe

Filesize
2.7MB

MD5
13b2d865ec33421538e2466300e6cfc2

SHA1
d850b3621d8354270a548c2e55fc06379d49ea2c

SHA256
6761e45fa371e19dd77f1ab8cc715a93fa6221031d2b9424cda403728aa41ccb

SHA512
4bdc9eeb71d61ca3db71797a7d923fe9031ef2404cb3a88d41bdc3b2d80d080088cd49b14de2842d0e0593a52e3a9bb9d72e46268745ea7737de789a5c9edc3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppSOS.exe

Filesize
2.7MB

MD5
b08752b3b3192966d5808864899f782a

SHA1
3e5609d69b49932f5e34dd297276b5b5dd79ba42

SHA256
e15048013473076c144d4326fa5bccd8abaf6479a33bf8cfdea2ab0cf4b01a0c

SHA512
2c57c66f50dfa77456f70f07aa235964fd71925c149f2b0baaa2933a7b75c53fc4c09e9703c094357a4562eb89e358f2730d58f686758a7b27d39e27f1076722

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAudioChatSOS.exe

Filesize
2.7MB

MD5
fa0ed79ba4dc1468e9cfee937fea11f2

SHA1
180786db516284c60070eba4f14159316eacce1c

SHA256
a83172a8bbb9317b945154cc6ec66440ded7a181998359711bd08023870f76a4

SHA512
19c18f7c3db7b4683c5ba999e21d95975ea40622d98b3b20a7d5f9c4e9d38426d6db0df365c4e9fefb04f7e3365cf57c4b328b4d714dae5baea9a1c14024baf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAudioResample.dll

Filesize
124KB

MD5
69dc934d7754b48537b81ae7b59c07c8

SHA1
bd1325d4c0047da750caffb7dc6d49ede912ac4a

SHA256
72945a21013d192a36c7c339e52e7e7341a6c99f36d67ebdffa360874063defe

SHA512
aa8140c29748ed7ab46050b49beee9a0f46ab08ae9fc2461631c06ab005d57c50ad1b3409643d11f69a671c1891a94550cce80407cd2e58a2d053d2c3cd7cbe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRChatSOS.exe

Filesize
2.7MB

MD5
549032ab1dabfe314669a9ff425ee57a

SHA1
37f881e80e7424732c630f50b49461a5297e9081

SHA256
aab91021230e5786711b1b862d0c41c3c48c9079ba143cb4bd4f6a49e99fa0e8

SHA512
83720e5698a8df49518d9281af33c4b67f14a04c01dcc2c1bef10deb4d4360942199a2451ee784df562c9f557f9080772c7c259d7377dd33b7f38e87ceebafc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRClient.pem

Filesize
5KB

MD5
a8b2b3d6c831f120ce624cff48156558

SHA1
202db3bd86f48c2a8779d079716b8cc5363edece

SHA256
33fe8889070b91c3c2e234db8494fcc174ecc69cfff3d0bc4f6a59b39c500484

SHA512
3b1fc8910b462ea2e3080418428795ca63075163e1e42a7136fa688aa2e130f5d3088ab27d18395c8c0a4d76bdc5ed95356255b8c29d49116e4743d269c97bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe

Filesize
4.6MB

MD5
3e76e9316ef4786a23fb89f0c2b675ae

SHA1
b97760551fbaf04f95efb41fb5e6223327fac922

SHA256
a3e723d732b9ba96fb6d639ae3ac38e90e7b8039bd575814c57ca76d0f95a7af

SHA512
5a78f1cc980c3da7e5f844282c23f724c70ec8ed48ccafb2c39e4fc3f183e4660ff263bc2036f493587142098e180a1ac452ff32036a31ac71729db5a248049d

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOSNoUIA.exe

Filesize
4.6MB

MD5
b591229685ad17957bb2a159c2a4b78b

SHA1
42f0f661f7339f879311c48d687a5ad8b562a220

SHA256
4c241f9525bbf33f48771c647a56ffe1b3749ec81942044db25a08b0c400cffb

SHA512
f80594e3741e12cb0fcadc2ab04ef019338f68b9f60771d51d05b406ff16314a041643044067cd846050b62c8642fde252c7c88e7df3641e200d4ff8aad2cc0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe

Filesize
1.8MB

MD5
c99c8787347caef751fba46a2bc529fc

SHA1
6c2051fa486b673b9ffd01dae98ae6ec263be390

SHA256
ad072ff07a42bcd2e09023024ee87a9803373a17e41926f90463a9350877cf20

SHA512
99bd7d6589a56ffdb50b498198254fea1333753f179ee042f9dc3d248bb3ff7c3d613353015ad145308d7f67376b85154a725f17ff6b0a513668a23e23caa5a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SROpus.dll

Filesize
322KB

MD5
7c3b0175c350e6aea7c5f4f331fb7457

SHA1
46fe50380b66c64a98b08017dc0d8566d9b22847

SHA256
a83cdfc6addac319e9cf2f950958db790ca430f96d900b5205828ebe9b2829a8

SHA512
4b3972eb174ae834b39f34d51d19aca9eace14cacc54d0314dfbde8b38c2a0514e81b5861bee9cf8465313f6b98db31b0c2d314b052cc8f5cdf58c7af7e61aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe

Filesize
5.1MB

MD5
d8e1c8358050a62961004beb6d598ec8

SHA1
1c1bc7c986c445d3c9e77b8efac621cb7b2b569c

SHA256
603193ec2b0e96ec483c8eaa92a517b8f685fb72875d2c5bd7c79fb0e5d7c38c

SHA512
cfbc2dde98458831e83e9dcf3ded621a3e1b26f73bac3a743f71923373429e993b9af2e5e1c8b9602e68741a8dc7f0ddea62add1f1a3d5a12b0269ea8c5d55fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRSocketCtrl.dll

Filesize
394KB

MD5
0abd0b462f8e07c20af3719bc672a71c

SHA1
9bac3e016617fb3034e7b24080f200acc337ad17

SHA256
3aeae10915f253166fb4ebf11993ea7e2bccd2583979870633d8db13b3005b7f

SHA512
83063c919b8c6816fdac1c2593eb6e998f996ce1487ebf06f51fa5219d127aa966eb3d1d365d1c7a5369d99d042900c60465aa9d6515a7aef06a2bc70c7eed29

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe

Filesize
156KB

MD5
e6066e9e4aa21333b30fe304ea32d40a

SHA1
568ae6207f94314590c768d47346231e5118239c

SHA256
0a0b3845d467f3f9abce841a93dda696fe80cd261242cce863d3c6abd92f01cf

SHA512
fdf2f9a348d0b7f38857b87b8c5d0101a57bb4695c17ad8864f92266522879df2d3e6bfc90b2885b8ecc0dd76e317581232b3711611c6ae340b2260749731598

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\avutil-55.dll

Filesize
548KB

MD5
a9a9d31764b50858a01b1fb228406f06

SHA1
7a313c46f049287045992f54f9d6eda9db568ef8

SHA256
c0babd7670124bb298d3ba6a8ee5ae33ad1030c08a18d8b8861f5d83003eb645

SHA512
164d5497aa91a5b4742a291f589400bc0b189af946615a2f04e6cfd1ed598a542f7521e4dd79aab99414846a3c391255309f911c247ef446a0483d9fab6efdfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\db\SRAgent.sqlite3

Filesize
80KB

MD5
9b06120ef81a3235a27ee24a6e90dfb4

SHA1
e26261b1987dc7f02c8b7ba501a1edac78de1373

SHA256
ce23a30bf24d56965655e3abf77667c6055644873de74f6373456cdb9e62f152

SHA512
8421c769223f6b52661319330807d4ba28aded133c321f1df8cbe170f461870b9a242a93a61d402db9c0922d4d87966725b84538a284792f63c4de01a619a996

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\dbghelp.dll

Filesize
1.0MB

MD5
eeda10135ede6edb5c85df3bd878e557

SHA1
8a1059dfd641269945e7a2710b684881bb63e8d2

SHA256
4b890de3708716d81c1c719b498734339d417e8ffc4955d81483d1ebc0f84697

SHA512
a56bfc73537e36efba8e09ffd0b2f6bfc56bc4cb4fe90b52858c7afd5d67db23ccba51c8097befe4ecb5082ba66c2b2612e2975ef3448252c48b97f41d12d591

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\fips.cnf

Filesize
592B

MD5
e077993e994d28bbc7502681280c5551

SHA1
9c3b360f9e81ccf8c8b56be25e4ce9d67d1f61b4

SHA256
b8d539255fb1ea42ee3b06f0e314b037e35701e2b258272889d866dd3419526b

SHA512
b2fed3539bd94999f9f9a2cfebac6a3632212c10f3d97a5129e444fc548d1685877d0810790b71d342a4ef9080d1efc73bf7a9493b5ccbd93232231ee2251abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\fips.dll

Filesize
681KB

MD5
68d8d459ee6a5027ffe35302b21d66fa

SHA1
91299e1ff75b293a18105fbdfcb2cde92a6c8507

SHA256
0ef5739fcc3850411e1db6af2e194e25c7e473bb950a387a7c851fe02660b4e8

SHA512
c032e6c057da58374ff51b50b2146e4b27eb6a18a452668eb2c78e3f4e729399f303873a2dc40f5910826a4f23146dfb851b62df3d5948a9039ec6ed23e53b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\legacy.cnf

Filesize
168B

MD5
a43b7d72b482d48804b377d8832c2693

SHA1
b1598efda8e9863f520abef9aaa942c313c002fd

SHA256
9acde3809e2c02fe5d6c59153aefffe6628996ec5cfb7c2385865dcd1ec8be7e

SHA512
f0777a8f79e70f8a12f531c3e77f5241e9ed46acc6a1cbf06ff7a29d91ee281e4cd2a9c1832642992fe74d33b052670f85439e5925fdb7c44de60014e53712da

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\legacy.dll

Filesize
157KB

MD5
cf52dbefbe8bc2dcd493cdbf050048e1

SHA1
aed132b049c77fd77645d07b443e1b4e96cb5e51

SHA256
8080e398edc43e652c0a104f62ad3c865e9bdc75c2e3936870deaf43fedbc3a4

SHA512
75133444a893002b9933eb3a44b66cd862fedc9c05579b188eb250bbc3cc00c61533fb3aa58a1d9b89b45f83cff8a3b02cb0fb605b299e0e7bace13b99020207

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libcelt-0.dll

Filesize
104KB

MD5
d67c971bfe675aada6ad8368e6148b88

SHA1
11500abbb177b4f88d7005731b541e131ddf21e8

SHA256
1fe6438ff3bd14994366f17d902a86a574ed15c4fa8eeb8181f2bb0597778fa7

SHA512
16b8bc0071aae9a1f20720109d81a8ede52c677c5d3bf77ec18a77a301ec1e8d3fc7a826e094d4a601810245cb985e36ac207af8ad5c9bfd541b2d4e3f667825

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libcrypto-3.dll

Filesize
1.3MB

MD5
72d867e8c7a84374aa72bf7feca4334e

SHA1
bbe4c42beb19a1f23bfbcfc5a67164d5ea29784e

SHA256
17d29b81faea714b5a93008711d92d1329b22244a2e9f56736064caa4fd3cd84

SHA512
b523df6ffe4a51180cdf2bda761b01a521391a6b24e081309c33c91835c19be96015b932d527822f5837802a979a3c48f5cc111892c47c082e8bcb8f2115ac3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libcurl.dll

Filesize
365KB

MD5
278d7f9c9a7526f35e1774cca0059c36

SHA1
423f1ebd3cbd52046a16538d6baa17076610cb2f

SHA256
12177dae5e123526e96023a48752ae0cb47e9f6eeafc20960f5a95ca6052d1b8

SHA512
75f8c4856fb04b2d5e491f32584f0aaefa0d42356e12320cbcb67df48e59c7f644512c2c5146fd7791c2ccb770fd709a8d8e4c72eafb74c39e1336accb49a044

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libssl-3.dll

Filesize
333KB

MD5
99a6a9656da926af8aa648d50b47dcfb

SHA1
81db96003bd8f63250abc7e59fb35e0227d3f28a

SHA256
fdf1f9d0af4ff8e5cbd4387d6849327e91f0eedd1befe58d7dd8b6ec40e90a98

SHA512
16e850fdabf76a11ed4176e0fd57dafb64faf9551ea220d003c5a86aff8c39ab40d66f7ac7fcc6ef71cfa7e1d6268bbc23e32aa5cf69df58a5d05f666701f3c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libx264-116.dll

Filesize
1.0MB

MD5
8e6ec55a95198bfcce99b73bfe02382e

SHA1
7fc7987cd20030152739549400f1704fe998b36a

SHA256
f89f364ef61da19971e6bd83fe52c8c25c9c8aa60c80acb5b69d2995d5de56d6

SHA512
efe60eb429d8f70d80300a067c119c69419ad6aedb0ea787f91b241dac3d7e863734a6245bb8b88f2bf327ae173c1453b104a6e9e15901ee74a17c6a148d10d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\p_mount.bat

Filesize
214B

MD5
88e59700f53de95d2847b9687764be30

SHA1
cd5780dbf1c711b9c28dc001f4149ba3251becf7

SHA256
b085f4e0d6a7a4dc967c96d7c318cb749bc497135fd9e35d7ad0c88e6c53f577

SHA512
6e7d2fd4cf87b63bab39e225362ecbe60f52fab0da42c97834b8ea59d653cdbd06b98e2c490c5465b1999af2f7869f729cbfc34e55d5ecc768d85d48b9874374

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\p_unmount.bat

Filesize
203B

MD5
fa3c191799254e542687f1f5d0974bc5

SHA1
dc85aac2aa31cd3de9017e7e099581457ad4fbf2

SHA256
347b12e6e2fc79e2a3668625341d7642d531159ffe5b01ab2bc5469e0efc6b3f

SHA512
635689814e63084910541ba68fe8ade8fdfbc3d0100afd61ddd13d07e61f3478ba75e4d24aa7b26df21a3e46c4ed2b1c8789520c5634cac63cfe32dcb1e8686e

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\reboot.bat

Filesize
3KB

MD5
abe8e3568b6d951e7dd395da46531932

SHA1
304d81c1b48e16533ef691a9c965818136b9583c

SHA256
eb700422c31c15757a6c70141274a184d291aac3bde191a964f75a90bc084143

SHA512
19a79d90883103302bddbac8a765c6a5196fb78c223d911633285b4ba44ebffa9c64690102498e3bef5991dba0f28847473a44d4f9aa7d637a4c4d3f1efea12e

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\stprinter.cat

Filesize
17KB

MD5
2dac6568b843ebdc5c98598ca32918be

SHA1
e7740e4be7f71a82adbb6e5224d33534e237614c

SHA256
eb61a0e06bf8c69597f9bb1909e3eb4f926e49800c3f9721fda3007993da5ee7

SHA512
1bc8aa82e68911f5ee1835d19cf49a736c1c35c2f6b4fcd48c3c6fcf7ff6958400d1e815c5e891e172af9035232175bb00e8a21f5a0590f02dc683f45a6c3d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\stprinterx.cat

Filesize
19KB

MD5
1d56a3f8d7f5dab184a8cc4feddaa173

SHA1
75d291cb96fdc05d54c962f1cb08796ee439b22f

SHA256
84e1a32b4975e92477cf6a36d8931921da735ef988e0c09a2b056f2904541b1e

SHA512
fb58167a98d9309a703f06d5c6414ab707b37e90a26bfc1c0812b10381c116fa6c7c26ac30fc8570b8f87186775bc64e7af6d409a7d213fc3b4b76b0b7a76fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\streamer1.cab

Filesize
16.0MB

MD5
ee7c1fa035cac997ff78b2a8d77b19c3

SHA1
9ed41bd57a4af443ed246693da7b66a96c181cb3

SHA256
ad125dfb7cea109cd265c27e70db7c1fd334b491d3e6c261caf9416c37e117af

SHA512
ef9eac2b09b130993561975a96a7941710ab4781271ce5e9618f085c283df8988f83f05070100251f36660b172853b96bff2c5bd65817686d3476e4fc2217f84

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\swresample-2.dll

Filesize
190KB

MD5
4a2f597c15ad595cfd83f8a34a0ab07a

SHA1
7f6481be6ddd959adde53251fa7e9283a01f0962

SHA256
5e756f0f1164b7519d2269aa85e43b435b5c7b92e65ed84e6051e75502f31804

SHA512
0e868ad546a6081de76b4a5cdcc7d457b2f0fb7239dc676c17c46a988a02696b12a9c3a85f627c76e6524f9a3ed25f2d9b8e8764d7e18fc708ead4475591946f

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_0a2xtkel.bmi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Temp\bd2_request_433b41c9d830.bat

Filesize
158B

MD5
c34edf7377b478212aed6a3250e3017f

SHA1
6a33106abcc3bfaa1af4fc7e0df3b12269afd0cf

SHA256
d336ba568ef50d234c227319bcd36d6a0fbca83ae1c120f1dcdec2df87e6a2b3

SHA512
ffb7cbf13733655ee0bc6dba01296037d4ae48f15bb5a6a04d19243ad7005bfe42fbb6cf6f4c25104d606e71067d95708f6d72155ba8e4a798f4b302c48bac98

Download Submit
memory/2348-331-0x0000000072C60000-0x0000000072D5D000-memory.dmp

Filesize
1012KB

Download
memory/2348-232-0x0000000072C60000-0x0000000072D5D000-memory.dmp

Filesize
1012KB

Download
memory/2348-333-0x0000000072740000-0x0000000072B04000-memory.dmp

Filesize
3.8MB

Download
memory/2348-332-0x0000000072B10000-0x0000000072C2C000-memory.dmp

Filesize
1.1MB

Download
memory/2348-245-0x0000000072740000-0x0000000072B04000-memory.dmp

Filesize
3.8MB

Download
memory/2348-233-0x0000000072B10000-0x0000000072C2C000-memory.dmp

Filesize
1.1MB

Download
memory/3736-328-0x0000000072C60000-0x0000000072D5D000-memory.dmp

Filesize
1012KB

Download
memory/3736-352-0x0000000072C60000-0x0000000072D5D000-memory.dmp

Filesize
1012KB

Download
memory/3736-216-0x0000000072740000-0x0000000072B04000-memory.dmp

Filesize
3.8MB

Download
memory/3736-382-0x0000000072C60000-0x0000000072D5D000-memory.dmp

Filesize
1012KB

Download
memory/3736-210-0x0000000072C60000-0x0000000072D5D000-memory.dmp

Filesize
1012KB

Download
memory/3736-384-0x0000000072740000-0x0000000072B04000-memory.dmp

Filesize
3.8MB

Download
memory/3736-383-0x0000000072B10000-0x0000000072C2C000-memory.dmp

Filesize
1.1MB

Download
memory/3736-330-0x0000000072740000-0x0000000072B04000-memory.dmp

Filesize
3.8MB

Download
memory/3736-329-0x0000000072B10000-0x0000000072C2C000-memory.dmp

Filesize
1.1MB

Download
memory/3736-215-0x0000000072B10000-0x0000000072C2C000-memory.dmp

Filesize
1.1MB

Download
memory/4512-325-0x0000000005CC0000-0x0000000005D0C000-memory.dmp

Filesize
304KB

Download
memory/4512-326-0x00000000073D0000-0x0000000007A4A000-memory.dmp

Filesize
6.5MB

Download
memory/4512-324-0x0000000005C90000-0x0000000005CAE000-memory.dmp

Filesize
120KB

Download
memory/4512-323-0x00000000056F0000-0x0000000005A44000-memory.dmp

Filesize
3.3MB

Download
memory/4512-313-0x0000000005680000-0x00000000056E6000-memory.dmp

Filesize
408KB

Download
memory/4512-312-0x0000000005610000-0x0000000005676000-memory.dmp

Filesize
408KB

Download
memory/4512-311-0x0000000004CF0000-0x0000000004D12000-memory.dmp

Filesize
136KB

Download
memory/4512-310-0x0000000004E40000-0x0000000005468000-memory.dmp

Filesize
6.2MB

Download
memory/4512-309-0x00000000046C0000-0x00000000046F6000-memory.dmp

Filesize
216KB

Download
memory/4512-327-0x00000000061B0000-0x00000000061CA000-memory.dmp

Filesize
104KB

Download
memory/4512-340-0x0000000006C90000-0x0000000006CA8000-memory.dmp

Filesize
96KB

Download
memory/4512-341-0x0000000007A50000-0x0000000007C12000-memory.dmp

Filesize
1.8MB

Download
memory/4512-343-0x0000000009DC0000-0x000000000A2EC000-memory.dmp

Filesize
5.2MB

Download