Analysis
-
max time kernel
150s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28/05/2024, 00:38
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe
Resource
win7-20240221-en
General
-
Target
2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe
-
Size
16.8MB
-
MD5
59b7867b993f6a66891271a43964ee3c
-
SHA1
a33f1e7aa823e08fd39e2c052f6342b0cd8b61ed
-
SHA256
3cea5fa48fe5f9d3e6e7e6249277dcbeef2f558bcee1395947070cf9425bcee1
-
SHA512
112674a30d4552563688d037bff63c67650ebc2d06cbd6bda2672adc1fd93fdc85d2b5a004d286cab30900eda9e540b3af6d3545d5b57caba696c5ba5ccba0cd
-
SSDEEP
393216:CvBGFZjC0mmzdHfXi1G5SnvOXqlMpgDpn2a+jsxIDiYC:O2pCFEfi1G502cMq9l9xIG9
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 36 IoCs
resource yara_rule behavioral1/files/0x0006000000018b37-195.dat UPX behavioral1/files/0x0006000000018b33-232.dat UPX behavioral1/files/0x00050000000194ea-236.dat UPX behavioral1/memory/620-238-0x0000000073840000-0x000000007393D000-memory.dmp UPX behavioral1/memory/620-241-0x00000000736E0000-0x00000000737FC000-memory.dmp UPX behavioral1/memory/620-244-0x0000000073010000-0x00000000733D4000-memory.dmp UPX behavioral1/memory/2108-269-0x0000000073010000-0x00000000733D4000-memory.dmp UPX behavioral1/memory/2108-268-0x0000000073840000-0x000000007393D000-memory.dmp UPX behavioral1/memory/620-307-0x00000000736E0000-0x00000000737FC000-memory.dmp UPX behavioral1/memory/620-308-0x0000000073010000-0x00000000733D4000-memory.dmp UPX behavioral1/memory/620-306-0x0000000073840000-0x000000007393D000-memory.dmp UPX behavioral1/memory/2108-334-0x0000000073840000-0x000000007393D000-memory.dmp UPX behavioral1/memory/2108-335-0x00000000736E0000-0x00000000737FC000-memory.dmp UPX behavioral1/memory/2108-336-0x0000000073010000-0x00000000733D4000-memory.dmp UPX behavioral1/files/0x0006000000018b4a-364.dat UPX behavioral1/memory/620-365-0x0000000073840000-0x000000007393D000-memory.dmp UPX behavioral1/memory/620-367-0x0000000073010000-0x00000000733D4000-memory.dmp UPX behavioral1/memory/620-371-0x0000000072910000-0x00000000729F9000-memory.dmp UPX behavioral1/memory/620-370-0x00000000736E0000-0x00000000737FC000-memory.dmp UPX behavioral1/memory/620-369-0x0000000073840000-0x000000007393D000-memory.dmp UPX behavioral1/memory/620-366-0x00000000736E0000-0x00000000737FC000-memory.dmp UPX behavioral1/memory/620-379-0x0000000073010000-0x00000000733D4000-memory.dmp UPX behavioral1/memory/620-380-0x0000000073840000-0x000000007393D000-memory.dmp UPX behavioral1/memory/620-381-0x00000000736E0000-0x00000000737FC000-memory.dmp UPX behavioral1/memory/620-384-0x00000000727D0000-0x00000000728B9000-memory.dmp UPX behavioral1/memory/620-392-0x00000000726E0000-0x00000000727C9000-memory.dmp UPX behavioral1/memory/2108-393-0x0000000073840000-0x000000007393D000-memory.dmp UPX behavioral1/memory/2108-395-0x0000000073010000-0x00000000733D4000-memory.dmp UPX behavioral1/memory/2108-394-0x00000000736E0000-0x00000000737FC000-memory.dmp UPX behavioral1/memory/620-406-0x00000000726E0000-0x00000000727C9000-memory.dmp UPX behavioral1/memory/620-416-0x0000000073840000-0x000000007393D000-memory.dmp UPX behavioral1/memory/620-418-0x0000000073010000-0x00000000733D4000-memory.dmp UPX behavioral1/memory/620-417-0x00000000736E0000-0x00000000737FC000-memory.dmp UPX behavioral1/memory/2108-425-0x0000000073840000-0x000000007393D000-memory.dmp UPX behavioral1/memory/2108-427-0x0000000073010000-0x00000000733D4000-memory.dmp UPX behavioral1/memory/2108-426-0x00000000736E0000-0x00000000737FC000-memory.dmp UPX -
ACProtect 1.3x - 1.4x DLL software 4 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0006000000018b37-195.dat acprotect behavioral1/files/0x0006000000018b33-232.dat acprotect behavioral1/files/0x00050000000194ea-236.dat acprotect behavioral1/files/0x0006000000018b4a-364.dat acprotect -
resource yara_rule behavioral1/files/0x0006000000018b37-195.dat upx behavioral1/files/0x0006000000018b33-232.dat upx behavioral1/files/0x00050000000194ea-236.dat upx behavioral1/memory/620-238-0x0000000073840000-0x000000007393D000-memory.dmp upx behavioral1/memory/620-241-0x00000000736E0000-0x00000000737FC000-memory.dmp upx behavioral1/memory/620-244-0x0000000073010000-0x00000000733D4000-memory.dmp upx behavioral1/memory/2108-269-0x0000000073010000-0x00000000733D4000-memory.dmp upx behavioral1/memory/2108-268-0x0000000073840000-0x000000007393D000-memory.dmp upx behavioral1/memory/620-307-0x00000000736E0000-0x00000000737FC000-memory.dmp upx behavioral1/memory/620-308-0x0000000073010000-0x00000000733D4000-memory.dmp upx behavioral1/memory/620-306-0x0000000073840000-0x000000007393D000-memory.dmp upx behavioral1/memory/2108-334-0x0000000073840000-0x000000007393D000-memory.dmp upx behavioral1/memory/2108-335-0x00000000736E0000-0x00000000737FC000-memory.dmp upx behavioral1/memory/2108-336-0x0000000073010000-0x00000000733D4000-memory.dmp upx behavioral1/files/0x0006000000018b4a-364.dat upx behavioral1/memory/620-365-0x0000000073840000-0x000000007393D000-memory.dmp upx behavioral1/memory/620-367-0x0000000073010000-0x00000000733D4000-memory.dmp upx behavioral1/memory/620-371-0x0000000072910000-0x00000000729F9000-memory.dmp upx behavioral1/memory/620-370-0x00000000736E0000-0x00000000737FC000-memory.dmp upx behavioral1/memory/620-369-0x0000000073840000-0x000000007393D000-memory.dmp upx behavioral1/memory/620-366-0x00000000736E0000-0x00000000737FC000-memory.dmp upx behavioral1/memory/620-379-0x0000000073010000-0x00000000733D4000-memory.dmp upx behavioral1/memory/620-380-0x0000000073840000-0x000000007393D000-memory.dmp upx behavioral1/memory/620-381-0x00000000736E0000-0x00000000737FC000-memory.dmp upx behavioral1/memory/620-384-0x00000000727D0000-0x00000000728B9000-memory.dmp upx behavioral1/memory/620-392-0x00000000726E0000-0x00000000727C9000-memory.dmp upx behavioral1/memory/2108-393-0x0000000073840000-0x000000007393D000-memory.dmp upx behavioral1/memory/2108-395-0x0000000073010000-0x00000000733D4000-memory.dmp upx behavioral1/memory/2108-394-0x00000000736E0000-0x00000000737FC000-memory.dmp upx behavioral1/memory/620-406-0x00000000726E0000-0x00000000727C9000-memory.dmp upx behavioral1/memory/620-416-0x0000000073840000-0x000000007393D000-memory.dmp upx behavioral1/memory/620-418-0x0000000073010000-0x00000000733D4000-memory.dmp upx behavioral1/memory/620-417-0x00000000736E0000-0x00000000737FC000-memory.dmp upx behavioral1/memory/2108-425-0x0000000073840000-0x000000007393D000-memory.dmp upx behavioral1/memory/2108-427-0x0000000073010000-0x00000000733D4000-memory.dmp upx behavioral1/memory/2108-426-0x00000000736E0000-0x00000000737FC000-memory.dmp upx -
Drops file in System32 directory 14 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7 SRManagerSOS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7 SRManagerSOS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 SRManagerSOS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT SRAppPBSOS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 SRManagerSOS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 SRManagerSOS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB SRManagerSOS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 SRManagerSOS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 SRManagerSOS.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT SRAppPBSOS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 SRManagerSOS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 SRManagerSOS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB SRManagerSOS.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 SRManagerSOS.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Logs\DPX\setupact.log expand.exe File opened for modification C:\Windows\Logs\DPX\setuperr.log expand.exe File opened for modification C:\Windows\WindowsUpdate.log SRAgentSOS.exe -
Executes dropped EXE 7 IoCs
pid Process 2952 Launcher.exe 620 SRManagerSOS.exe 2836 SRServerSOS.exe 2108 SRAgentSOS.exe 2292 SRAppPBSOS.exe 2880 SRFeatureSOS.exe 2748 SRUtilitySOS.exe -
Loads dropped DLL 21 IoCs
pid Process 2952 Launcher.exe 620 SRManagerSOS.exe 620 SRManagerSOS.exe 620 SRManagerSOS.exe 620 SRManagerSOS.exe 620 SRManagerSOS.exe 620 SRManagerSOS.exe 620 SRManagerSOS.exe 2836 SRServerSOS.exe 2108 SRAgentSOS.exe 620 SRManagerSOS.exe 2880 SRFeatureSOS.exe 2880 SRFeatureSOS.exe 2880 SRFeatureSOS.exe 2108 SRAgentSOS.exe 2108 SRAgentSOS.exe 2108 SRAgentSOS.exe 2880 SRFeatureSOS.exe 620 SRManagerSOS.exe 620 SRManagerSOS.exe 620 SRManagerSOS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2220 schtasks.exe -
Modifies data under HKEY_USERS 53 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication SRFeatureSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs SRManagerSOS.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name = "SRFeatureSOS.exe" SRFeatureSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs SRManagerSOS.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA SRManagerSOS.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\GDIPlus\FontCachePath = "C:\\Users\\Admin\\AppData\\Local" SRServerSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\GDIPlus SRServerSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs SRManagerSOS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust SRManagerSOS.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 SRManagerSOS.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 SRManagerSOS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 SRManagerSOS.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f SRManagerSOS.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f SRManagerSOS.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee404000000010000001000000091de0625abdafd32170cbb25172a846720000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f SRManagerSOS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 SRManagerSOS.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 SRManagerSOS.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 620 SRManagerSOS.exe 620 SRManagerSOS.exe 620 SRManagerSOS.exe 620 SRManagerSOS.exe 620 SRManagerSOS.exe 620 SRManagerSOS.exe 620 SRManagerSOS.exe 620 SRManagerSOS.exe 2108 SRAgentSOS.exe 2292 SRAppPBSOS.exe 2292 SRAppPBSOS.exe 2292 SRAppPBSOS.exe 2292 SRAppPBSOS.exe 2292 SRAppPBSOS.exe 2292 SRAppPBSOS.exe 2292 SRAppPBSOS.exe 2292 SRAppPBSOS.exe 2292 SRAppPBSOS.exe 2292 SRAppPBSOS.exe 2292 SRAppPBSOS.exe 2292 SRAppPBSOS.exe 2748 SRUtilitySOS.exe 2748 SRUtilitySOS.exe 2748 SRUtilitySOS.exe 2748 SRUtilitySOS.exe 2748 SRUtilitySOS.exe 2748 SRUtilitySOS.exe 2292 SRAppPBSOS.exe 2292 SRAppPBSOS.exe 620 SRManagerSOS.exe 620 SRManagerSOS.exe 620 SRManagerSOS.exe 620 SRManagerSOS.exe 620 SRManagerSOS.exe 620 SRManagerSOS.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 2108 SRAgentSOS.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 2836 SRServerSOS.exe 2292 SRAppPBSOS.exe 2292 SRAppPBSOS.exe 2836 SRServerSOS.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1760 wrote to memory of 2556 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 28 PID 1760 wrote to memory of 2556 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 28 PID 1760 wrote to memory of 2556 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 28 PID 1760 wrote to memory of 2556 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 28 PID 2556 wrote to memory of 2540 2556 cmd.exe 30 PID 2556 wrote to memory of 2540 2556 cmd.exe 30 PID 2556 wrote to memory of 2540 2556 cmd.exe 30 PID 1760 wrote to memory of 2136 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 31 PID 1760 wrote to memory of 2136 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 31 PID 1760 wrote to memory of 2136 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 31 PID 1760 wrote to memory of 2136 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 31 PID 2136 wrote to memory of 2220 2136 cmd.exe 33 PID 2136 wrote to memory of 2220 2136 cmd.exe 33 PID 2136 wrote to memory of 2220 2136 cmd.exe 33 PID 1760 wrote to memory of 2356 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 34 PID 1760 wrote to memory of 2356 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 34 PID 1760 wrote to memory of 2356 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 34 PID 1760 wrote to memory of 2356 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 34 PID 2356 wrote to memory of 1632 2356 cmd.exe 36 PID 2356 wrote to memory of 1632 2356 cmd.exe 36 PID 2356 wrote to memory of 1632 2356 cmd.exe 36 PID 1760 wrote to memory of 1624 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 37 PID 1760 wrote to memory of 1624 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 37 PID 1760 wrote to memory of 1624 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 37 PID 1760 wrote to memory of 1624 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 37 PID 1624 wrote to memory of 2960 1624 cmd.exe 39 PID 1624 wrote to memory of 2960 1624 cmd.exe 39 PID 1624 wrote to memory of 2960 1624 cmd.exe 39 PID 1760 wrote to memory of 2520 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 41 PID 1760 wrote to memory of 2520 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 41 PID 1760 wrote to memory of 2520 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 41 PID 1760 wrote to memory of 2520 1760 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe 41 PID 2520 wrote to memory of 2800 2520 cmd.exe 44 PID 2520 wrote to memory of 2800 2520 cmd.exe 44 PID 2520 wrote to memory of 2800 2520 cmd.exe 44 PID 2000 wrote to memory of 2952 2000 taskeng.exe 43 PID 2000 wrote to memory of 2952 2000 taskeng.exe 43 PID 2000 wrote to memory of 2952 2000 taskeng.exe 43 PID 2000 wrote to memory of 2952 2000 taskeng.exe 43 PID 2000 wrote to memory of 2952 2000 taskeng.exe 43 PID 2000 wrote to memory of 2952 2000 taskeng.exe 43 PID 2000 wrote to memory of 2952 2000 taskeng.exe 43 PID 2952 wrote to memory of 620 2952 Launcher.exe 46 PID 2952 wrote to memory of 620 2952 Launcher.exe 46 PID 2952 wrote to memory of 620 2952 Launcher.exe 46 PID 2952 wrote to memory of 620 2952 Launcher.exe 46 PID 2952 wrote to memory of 620 2952 Launcher.exe 46 PID 2952 wrote to memory of 620 2952 Launcher.exe 46 PID 2952 wrote to memory of 620 2952 Launcher.exe 46 PID 620 wrote to memory of 2836 620 SRManagerSOS.exe 47 PID 620 wrote to memory of 2836 620 SRManagerSOS.exe 47 PID 620 wrote to memory of 2836 620 SRManagerSOS.exe 47 PID 620 wrote to memory of 2836 620 SRManagerSOS.exe 47 PID 620 wrote to memory of 2108 620 SRManagerSOS.exe 48 PID 620 wrote to memory of 2108 620 SRManagerSOS.exe 48 PID 620 wrote to memory of 2108 620 SRManagerSOS.exe 48 PID 620 wrote to memory of 2108 620 SRManagerSOS.exe 48 PID 620 wrote to memory of 2108 620 SRManagerSOS.exe 48 PID 620 wrote to memory of 2108 620 SRManagerSOS.exe 48 PID 620 wrote to memory of 2108 620 SRManagerSOS.exe 48 PID 620 wrote to memory of 2292 620 SRManagerSOS.exe 49 PID 620 wrote to memory of 2292 620 SRManagerSOS.exe 49 PID 620 wrote to memory of 2292 620 SRManagerSOS.exe 49 PID 620 wrote to memory of 2292 620 SRManagerSOS.exe 49 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c C:\Windows\system32\expand.exe *.cab /f:* .\2⤵
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\system32\expand.exeC:\Windows\system32\expand.exe *.cab /f:* .\3⤵
- Drops file in Windows directory
PID:2540
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c schtasks /create /xml ASOS.xml /ru "system" /tn ASOS12⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\system32\schtasks.exeschtasks /create /xml ASOS.xml /ru "system" /tn ASOS13⤵
- Creates scheduled task(s)
PID:2220
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "2⤵
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\system32\schtasks.exeschtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "3⤵PID:1632
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c schtasks /run /tn ASOS12⤵
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\system32\schtasks.exeschtasks /run /tn ASOS13⤵PID:2960
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c schtasks /delete /f /tn ASOS12⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\system32\schtasks.exeschtasks /delete /f /tn ASOS13⤵PID:2800
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {8351FEA9-1A63-44EE-8AB2-B982BC4F4E6E} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exeC:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe SRManagerSOS.exe 12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe"SRManagerSOS.exe"3⤵
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exeSRServerSOS.exe -s4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2836
-
-
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe"C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe"4⤵
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\Temp\bd2_request_12646d835d4c4ea.bat5⤵PID:2284
-
-
-
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe"C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe"4⤵
- Drops file in System32 directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2292
-
-
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe"C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exeSRUtilitySOS.exe -r5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2748
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
523B
MD5af2a6d027d817ed6624ac7d46b969366
SHA14ae3c7533267a12c94fa9de938b8aa36df53f754
SHA256cfefcfdbbd4b27f344ea91c7e8d57afddf857f766d017ea3e3b3f9cda0322851
SHA51282495dff63952535ac2b0055806c84ef973f142107c1c225ab6dc73d08533ce7b8e2eb228380f44cc072792a0346edff72a65690a87815be580a0b24cdc3834e
-
Filesize
4KB
MD56db79f489c5eea155cfa109f38fb4f93
SHA137afeead44380c42d85341f419968a5402745d93
SHA256f08612dcdc61237ea54aad93c31f7afd091680e275cf82a9c1a7994cc6f089ba
SHA512c3ecd91618e92d0586e9e96bad2458d15e0c16e0a0c14122c5c0375bd50e9650b91b4daeb6b7f61f5f82a0d83fa64061e69860da77817972d3c6893d704986a5
-
Filesize
398B
MD58b46922727397a34cd895953b5a26d4b
SHA1f1c442d9961ef63b5f7a904f1d138d857420a79b
SHA2568c6bc965ec2ca1a84ba2781ea049bb9b21fedd9d27e7a363e26d53ecb1abb1f4
SHA512b5e7bffdbd5e844e83a0cc2ce4caaa33902c75ff68c938b914424b5f361789272ba191e6bd263891bed4ee6a5cd9450bef8fba0b09a99c25a2474f17fdf147f4
-
Filesize
256B
MD56a279dd3ba7b1beab9f11d67ce728912
SHA19cb0bcc27500bb10bbc9f7a7f46f4bc6148224e4
SHA256aa0552925308308a73a0f4419f463f63eeadb9cf5cf1f5284ca79f1b2a3f2ed7
SHA51217e3c134021d1f29a26fd53b7f662ec849e9a56525766c7e6e2b86bed533039973363558b7e199e013d1ab905391b909bb7f483dd45352c3ac19ab9c3101f0ba
-
Filesize
347B
MD50fc9317cc6646f22cd2c7f0e199d9545
SHA1eaa78dd9b130958180e76d6d089a9e00bca27694
SHA256612ebe67185a4385e53a8e965782b22bb60c8ce485092c71e9bec748cd8c4258
SHA5126fe66730c5b040c95931bf6618a84095131dd550d4a0cf74cd64bd4025e0c5b9e4c59c686b54c386f319ca5a12ae4d2820f62838e649d3a1557006aacb6d3aad
-
Filesize
149B
MD53a3009d863ba303572102ca4215af083
SHA1b42e344a0f0f0adefe2e4e951e703d85929ac399
SHA25661131ef61676070346adc61e143348fc8d6b8597305865345f5c104c2a79b14e
SHA512db65b389ae9c0774d5d5725ad2dea1faf987198995d658af93af54f06376683a4393f71d2707132312a1ab286bd3535f484efe0f2ba2b98200e9afb546148dd8
-
Filesize
263KB
MD56a054bcf49a9e9f921bccd287e88a648
SHA14f776f06d2b7683c03ebac58ea4ba2cc9d928ed5
SHA256de48033ef74945b4496d42017450de46d7fddc5f63c80324cda096f648f12edf
SHA512fac5d10583d6d6cb947a8285abfec7505d5598a3f1eb8465214d77e3d3f41f07ff7244a479a91ca894ec765912dd347ab724c8eaa8c823e62a0a8824d3901b2a
-
Filesize
2KB
MD58ce869f7dbbb2e38c8de76716e49b8a5
SHA1de73a6b80fca67b06a7e1fec1904095d61b7b864
SHA2561008bce6f93a3863164b0fea34bea07bd6ce304dffafac5615dc52bbb675bd47
SHA51298afa1fe513beb31bca44e56fe40f0a049d3bb0ccc7cf4997b8fb2631774131c7232072e733674a3ed6771201d53788e94d595e8254a5ffc4d6cc45ff93417af
-
Filesize
184KB
MD52def326d4f3ad50a7abb0f20944405fc
SHA1c99b7a01019992e4180a5a9d67a8f30a5bda46d7
SHA256ed259409860bc916cc26af1fcb8de0fb455607dd1056d3e530c29614435c3092
SHA51243bf3d1958d1bb1bbeecfff70ca7309509af2ec346763e92521c128b786ce8c6063a5339693ad129966965d926107eaeddc9de9abd9bf0c2580bd3ec2ab3ceb4
-
Filesize
2.7MB
MD513b2d865ec33421538e2466300e6cfc2
SHA1d850b3621d8354270a548c2e55fc06379d49ea2c
SHA2566761e45fa371e19dd77f1ab8cc715a93fa6221031d2b9424cda403728aa41ccb
SHA5124bdc9eeb71d61ca3db71797a7d923fe9031ef2404cb3a88d41bdc3b2d80d080088cd49b14de2842d0e0593a52e3a9bb9d72e46268745ea7737de789a5c9edc3c
-
Filesize
5KB
MD5a8b2b3d6c831f120ce624cff48156558
SHA1202db3bd86f48c2a8779d079716b8cc5363edece
SHA25633fe8889070b91c3c2e234db8494fcc174ecc69cfff3d0bc4f6a59b39c500484
SHA5123b1fc8910b462ea2e3080418428795ca63075163e1e42a7136fa688aa2e130f5d3088ab27d18395c8c0a4d76bdc5ed95356255b8c29d49116e4743d269c97bf9
-
Filesize
4.6MB
MD53e76e9316ef4786a23fb89f0c2b675ae
SHA1b97760551fbaf04f95efb41fb5e6223327fac922
SHA256a3e723d732b9ba96fb6d639ae3ac38e90e7b8039bd575814c57ca76d0f95a7af
SHA5125a78f1cc980c3da7e5f844282c23f724c70ec8ed48ccafb2c39e4fc3f183e4660ff263bc2036f493587142098e180a1ac452ff32036a31ac71729db5a248049d
-
Filesize
394KB
MD50abd0b462f8e07c20af3719bc672a71c
SHA19bac3e016617fb3034e7b24080f200acc337ad17
SHA2563aeae10915f253166fb4ebf11993ea7e2bccd2583979870633d8db13b3005b7f
SHA51283063c919b8c6816fdac1c2593eb6e998f996ce1487ebf06f51fa5219d127aa966eb3d1d365d1c7a5369d99d042900c60465aa9d6515a7aef06a2bc70c7eed29
-
Filesize
156KB
MD5e6066e9e4aa21333b30fe304ea32d40a
SHA1568ae6207f94314590c768d47346231e5118239c
SHA2560a0b3845d467f3f9abce841a93dda696fe80cd261242cce863d3c6abd92f01cf
SHA512fdf2f9a348d0b7f38857b87b8c5d0101a57bb4695c17ad8864f92266522879df2d3e6bfc90b2885b8ecc0dd76e317581232b3711611c6ae340b2260749731598
-
Filesize
80KB
MD5af3eb83ac4a73ee01aa747872ec09717
SHA159e66cf1d974b5108f2ad169dece57cddfa6878c
SHA256454949d6d9d626d16efaec3b97ba434b5c9a1f0e712afbb0e51ea2e39b4cf356
SHA512ac9952905712d6c3546b2f0d953426fa2aec2311abadab44495f5196f873c4460fa21d0797c113621f7e1a3d669017d49a9bef45234025c5b2b9ef664fec390b
-
Filesize
91KB
MD58cfee57ebb5f1d41a1d293f0786bbad1
SHA102f6c748b94b49cb443b7f7b4e3e1e80e5d394a5
SHA2569fd14605fe06d445b118f401e0556bd6783b9ad30010a932c83f0727df3198b3
SHA512c271ac4b08eb10e43f7cad2e402bde1a1664506d1586b9c4835a221c11c32153e6ed8edd4782508c91bc651308fc85aab8d2bc7c33a013e55c1e734057d25d37
-
Filesize
1.3MB
MD572d867e8c7a84374aa72bf7feca4334e
SHA1bbe4c42beb19a1f23bfbcfc5a67164d5ea29784e
SHA25617d29b81faea714b5a93008711d92d1329b22244a2e9f56736064caa4fd3cd84
SHA512b523df6ffe4a51180cdf2bda761b01a521391a6b24e081309c33c91835c19be96015b932d527822f5837802a979a3c48f5cc111892c47c082e8bcb8f2115ac3f
-
Filesize
333KB
MD599a6a9656da926af8aa648d50b47dcfb
SHA181db96003bd8f63250abc7e59fb35e0227d3f28a
SHA256fdf1f9d0af4ff8e5cbd4387d6849327e91f0eedd1befe58d7dd8b6ec40e90a98
SHA51216e850fdabf76a11ed4176e0fd57dafb64faf9551ea220d003c5a86aff8c39ab40d66f7ac7fcc6ef71cfa7e1d6268bbc23e32aa5cf69df58a5d05f666701f3c0
-
Filesize
16.0MB
MD5ee7c1fa035cac997ff78b2a8d77b19c3
SHA19ed41bd57a4af443ed246693da7b66a96c181cb3
SHA256ad125dfb7cea109cd265c27e70db7c1fd334b491d3e6c261caf9416c37e117af
SHA512ef9eac2b09b130993561975a96a7941710ab4781271ce5e9618f085c283df8988f83f05070100251f36660b172853b96bff2c5bd65817686d3476e4fc2217f84
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
159B
MD5a29bba44ad15b3c4af98a2a6f225362e
SHA15c832bf5791af55188249ecfc73e59dca12079c5
SHA256835fe6050520b6b2c9914570b6195cc87284de00801f5e8e414ea57e4f50543c
SHA512e6b8195a66e5c2129d8f8dea347950f41f667187109dbf3d7fcf16e5e308efcc669d3a5ea38b47e65f34ff6e9ff7a5bf3513037b62418ab62201b1ece7dd1aef
-
Filesize
2.0MB
MD5fb8af7753cb2a3583d8e5372e295f04d
SHA1f232d9b86386399a5cf43a4e3247c22ef18b85c6
SHA256bbc7e13444052825b3ae254c0f4e18660df1a954840a68e37eb70a9e37acf461
SHA5128a5e8a2e91f4ab94596fa0f57a5d9b61f9e15b8127e84692eedff9e09ab1bc9d2611bc58fca70635ceb2f4b1bffc2c0f0431f61bfbecadfc0dfca7fda0aa5923
-
Filesize
1.8MB
MD5c99c8787347caef751fba46a2bc529fc
SHA16c2051fa486b673b9ffd01dae98ae6ec263be390
SHA256ad072ff07a42bcd2e09023024ee87a9803373a17e41926f90463a9350877cf20
SHA51299bd7d6589a56ffdb50b498198254fea1333753f179ee042f9dc3d248bb3ff7c3d613353015ad145308d7f67376b85154a725f17ff6b0a513668a23e23caa5a5
-
Filesize
5.1MB
MD5d8e1c8358050a62961004beb6d598ec8
SHA11c1bc7c986c445d3c9e77b8efac621cb7b2b569c
SHA256603193ec2b0e96ec483c8eaa92a517b8f685fb72875d2c5bd7c79fb0e5d7c38c
SHA512cfbc2dde98458831e83e9dcf3ded621a3e1b26f73bac3a743f71923373429e993b9af2e5e1c8b9602e68741a8dc7f0ddea62add1f1a3d5a12b0269ea8c5d55fd
-
Filesize
548KB
MD5a9a9d31764b50858a01b1fb228406f06
SHA17a313c46f049287045992f54f9d6eda9db568ef8
SHA256c0babd7670124bb298d3ba6a8ee5ae33ad1030c08a18d8b8861f5d83003eb645
SHA512164d5497aa91a5b4742a291f589400bc0b189af946615a2f04e6cfd1ed598a542f7521e4dd79aab99414846a3c391255309f911c247ef446a0483d9fab6efdfc
-
Filesize
1.0MB
MD5eeda10135ede6edb5c85df3bd878e557
SHA18a1059dfd641269945e7a2710b684881bb63e8d2
SHA2564b890de3708716d81c1c719b498734339d417e8ffc4955d81483d1ebc0f84697
SHA512a56bfc73537e36efba8e09ffd0b2f6bfc56bc4cb4fe90b52858c7afd5d67db23ccba51c8097befe4ecb5082ba66c2b2612e2975ef3448252c48b97f41d12d591
-
Filesize
365KB
MD5278d7f9c9a7526f35e1774cca0059c36
SHA1423f1ebd3cbd52046a16538d6baa17076610cb2f
SHA25612177dae5e123526e96023a48752ae0cb47e9f6eeafc20960f5a95ca6052d1b8
SHA51275f8c4856fb04b2d5e491f32584f0aaefa0d42356e12320cbcb67df48e59c7f644512c2c5146fd7791c2ccb770fd709a8d8e4c72eafb74c39e1336accb49a044
-
Filesize
190KB
MD54a2f597c15ad595cfd83f8a34a0ab07a
SHA17f6481be6ddd959adde53251fa7e9283a01f0962
SHA2565e756f0f1164b7519d2269aa85e43b435b5c7b92e65ed84e6051e75502f31804
SHA5120e868ad546a6081de76b4a5cdcc7d457b2f0fb7239dc676c17c46a988a02696b12a9c3a85f627c76e6524f9a3ed25f2d9b8e8764d7e18fc708ead4475591946f