Malware Analysis Report

2025-08-06 00:20

Sample ID 240528-azeajafh8t
Target 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid
SHA256 3cea5fa48fe5f9d3e6e7e6249277dcbeef2f558bcee1395947070cf9425bcee1
Tags
discovery upx execution
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

3cea5fa48fe5f9d3e6e7e6249277dcbeef2f558bcee1395947070cf9425bcee1

Threat Level: Likely malicious

The file 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid was found to be: Likely malicious.

Malicious Activity Summary

discovery upx execution

UPX dump on OEP (original entry point)

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Drops file in System32 directory

Checks computer location settings

Checks installed software on the system

Drops file in Windows directory

Executes dropped EXE

Loads dropped DLL

Command and Scripting Interpreter: PowerShell

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-28 00:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-28 00:38

Reported

2024-05-28 00:41

Platform

win7-20240221-en

Max time kernel

150s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\DPX\setupact.log C:\Windows\system32\expand.exe N/A
File opened for modification C:\Windows\Logs\DPX\setuperr.log C:\Windows\system32\expand.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name = "SRFeatureSOS.exe" C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\GDIPlus\FontCachePath = "C:\\Users\\Admin\\AppData\\Local" C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\GDIPlus C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee404000000010000001000000091de0625abdafd32170cbb25172a846720000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1760 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe C:\Windows\system32\cmd.exe
PID 2556 wrote to memory of 2540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\expand.exe
PID 2556 wrote to memory of 2540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\expand.exe
PID 2556 wrote to memory of 2540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\expand.exe
PID 1760 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe C:\Windows\system32\cmd.exe
PID 2136 wrote to memory of 2220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2136 wrote to memory of 2220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2136 wrote to memory of 2220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1760 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe C:\Windows\system32\cmd.exe
PID 2356 wrote to memory of 1632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2356 wrote to memory of 1632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2356 wrote to memory of 1632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1760 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe C:\Windows\system32\cmd.exe
PID 1624 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1624 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1624 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1760 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe C:\Windows\system32\cmd.exe
PID 2520 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2520 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2520 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2000 wrote to memory of 2952 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe
PID 2000 wrote to memory of 2952 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe
PID 2000 wrote to memory of 2952 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe
PID 2000 wrote to memory of 2952 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe
PID 2000 wrote to memory of 2952 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe
PID 2000 wrote to memory of 2952 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe
PID 2000 wrote to memory of 2952 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe
PID 2952 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
PID 2952 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
PID 2952 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
PID 2952 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
PID 2952 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
PID 2952 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
PID 2952 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
PID 620 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe
PID 620 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe
PID 620 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe
PID 620 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe
PID 620 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
PID 620 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
PID 620 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
PID 620 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
PID 620 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
PID 620 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
PID 620 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
PID 620 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe
PID 620 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe
PID 620 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe
PID 620 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c C:\Windows\system32\expand.exe *.cab /f:* .\

C:\Windows\system32\expand.exe

C:\Windows\system32\expand.exe *.cab /f:* .\

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1

C:\Windows\system32\schtasks.exe

schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "

C:\Windows\system32\schtasks.exe

schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c schtasks /run /tn ASOS1

C:\Windows\system32\schtasks.exe

schtasks /run /tn ASOS1

C:\Windows\system32\taskeng.exe

taskeng.exe {8351FEA9-1A63-44EE-8AB2-B982BC4F4E6E} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c schtasks /delete /f /tn ASOS1

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe SRManagerSOS.exe 1

C:\Windows\system32\schtasks.exe

schtasks /delete /f /tn ASOS1

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe

"SRManagerSOS.exe"

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe

SRServerSOS.exe -s

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe

"C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe"

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe

"C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe"

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe

"C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe"

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe

SRUtilitySOS.exe -r

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Windows\Temp\bd2_request_12646d835d4c4ea.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 st-lookup-v1-sos-srs-win-3700-g3.api.splashtop.com udp
US 76.223.35.50:443 st-lookup-v1-sos-srs-win-3700-g3.api.splashtop.com tcp
US 8.8.8.8:53 st-lookup-v1-sos-srs-win-3700-g3.api.splashtop.com udp
US 8.8.8.8:53 st-lookup-v1-sos-srs-win-3700.api.splashtop.com udp
US 35.71.177.13:443 st-lookup-v1-sos-srs-win-3700.api.splashtop.com tcp
US 8.8.8.8:53 st-v3-sos-srs-win-3700.api.splashtop.com udp
US 52.223.22.239:443 st-v3-sos-srs-win-3700.api.splashtop.com tcp
US 8.8.8.8:53 st-relay-v3-sos-srs-win-3700.api.splashtop.com udp
US 15.197.131.212:443 st-relay-v3-sos-srs-win-3700.api.splashtop.com tcp
US 8.8.8.8:53 132-145-25-233.relay.splashtop.com udp
GB 132.145.25.233:443 132-145-25-233.relay.splashtop.com tcp
US 8.8.8.8:53 129-151-93-178.relay.splashtop.com udp
GB 129.151.93.178:443 129-151-93-178.relay.splashtop.com tcp
US 8.8.8.8:53 3-252-149-178.relay.splashtop.com udp
US 8.8.8.8:53 132-145-44-219.relay.splashtop.com udp
GB 132.145.44.219:443 132-145-44-219.relay.splashtop.com tcp
IE 3.252.149.178:443 3-252-149-178.relay.splashtop.com tcp
N/A 127.0.0.1:49575 tcp
N/A 127.0.0.1:49577 tcp
N/A 127.0.0.1:49579 tcp
GB 132.145.44.219:443 132-145-44-219.relay.splashtop.com tcp
GB 129.151.93.178:443 129-151-93-178.relay.splashtop.com tcp
IE 3.252.149.178:443 3-252-149-178.relay.splashtop.com tcp
N/A 127.0.0.1:49603 tcp
N/A 127.0.0.1:49605 tcp
N/A 127.0.0.1:49609 tcp
IE 3.252.149.178:443 3-252-149-178.relay.splashtop.com tcp
GB 129.151.93.178:443 129-151-93-178.relay.splashtop.com tcp
GB 132.145.44.219:443 132-145-44-219.relay.splashtop.com tcp
N/A 127.0.0.1:49620 tcp
N/A 127.0.0.1:49622 tcp
N/A 127.0.0.1:49624 tcp

Files

C:\Users\Admin\AppData\Local\Temp\unpack1.log

MD5 6db79f489c5eea155cfa109f38fb4f93
SHA1 37afeead44380c42d85341f419968a5402745d93
SHA256 f08612dcdc61237ea54aad93c31f7afd091680e275cf82a9c1a7994cc6f089ba
SHA512 c3ecd91618e92d0586e9e96bad2458d15e0c16e0a0c14122c5c0375bd50e9650b91b4daeb6b7f61f5f82a0d83fa64061e69860da77817972d3c6893d704986a5

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\streamer1.cab

MD5 ee7c1fa035cac997ff78b2a8d77b19c3
SHA1 9ed41bd57a4af443ed246693da7b66a96c181cb3
SHA256 ad125dfb7cea109cd265c27e70db7c1fd334b491d3e6c261caf9416c37e117af
SHA512 ef9eac2b09b130993561975a96a7941710ab4781271ce5e9618f085c283df8988f83f05070100251f36660b172853b96bff2c5bd65817686d3476e4fc2217f84

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRClient.pem

MD5 a8b2b3d6c831f120ce624cff48156558
SHA1 202db3bd86f48c2a8779d079716b8cc5363edece
SHA256 33fe8889070b91c3c2e234db8494fcc174ecc69cfff3d0bc4f6a59b39c500484
SHA512 3b1fc8910b462ea2e3080418428795ca63075163e1e42a7136fa688aa2e130f5d3088ab27d18395c8c0a4d76bdc5ed95356255b8c29d49116e4743d269c97bf9

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\ASOS.xml

MD5 8ce869f7dbbb2e38c8de76716e49b8a5
SHA1 de73a6b80fca67b06a7e1fec1904095d61b7b864
SHA256 1008bce6f93a3863164b0fea34bea07bd6ce304dffafac5615dc52bbb675bd47
SHA512 98afa1fe513beb31bca44e56fe40f0a049d3bb0ccc7cf4997b8fb2631774131c7232072e733674a3ed6771201d53788e94d595e8254a5ffc4d6cc45ff93417af

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe

MD5 2def326d4f3ad50a7abb0f20944405fc
SHA1 c99b7a01019992e4180a5a9d67a8f30a5bda46d7
SHA256 ed259409860bc916cc26af1fcb8de0fb455607dd1056d3e530c29614435c3092
SHA512 43bf3d1958d1bb1bbeecfff70ca7309509af2ec346763e92521c128b786ce8c6063a5339693ad129966965d926107eaeddc9de9abd9bf0c2580bd3ec2ab3ceb4

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe

MD5 3e76e9316ef4786a23fb89f0c2b675ae
SHA1 b97760551fbaf04f95efb41fb5e6223327fac922
SHA256 a3e723d732b9ba96fb6d639ae3ac38e90e7b8039bd575814c57ca76d0f95a7af
SHA512 5a78f1cc980c3da7e5f844282c23f724c70ec8ed48ccafb2c39e4fc3f183e4660ff263bc2036f493587142098e180a1ac452ff32036a31ac71729db5a248049d

\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe

MD5 c99c8787347caef751fba46a2bc529fc
SHA1 6c2051fa486b673b9ffd01dae98ae6ec263be390
SHA256 ad072ff07a42bcd2e09023024ee87a9803373a17e41926f90463a9350877cf20
SHA512 99bd7d6589a56ffdb50b498198254fea1333753f179ee042f9dc3d248bb3ff7c3d613353015ad145308d7f67376b85154a725f17ff6b0a513668a23e23caa5a5

\Users\Admin\AppData\Local\Temp\unpacksos\1\dbghelp.dll

MD5 eeda10135ede6edb5c85df3bd878e557
SHA1 8a1059dfd641269945e7a2710b684881bb63e8d2
SHA256 4b890de3708716d81c1c719b498734339d417e8ffc4955d81483d1ebc0f84697
SHA512 a56bfc73537e36efba8e09ffd0b2f6bfc56bc4cb4fe90b52858c7afd5d67db23ccba51c8097befe4ecb5082ba66c2b2612e2975ef3448252c48b97f41d12d591

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libssl-3.dll

MD5 99a6a9656da926af8aa648d50b47dcfb
SHA1 81db96003bd8f63250abc7e59fb35e0227d3f28a
SHA256 fdf1f9d0af4ff8e5cbd4387d6849327e91f0eedd1befe58d7dd8b6ec40e90a98
SHA512 16e850fdabf76a11ed4176e0fd57dafb64faf9551ea220d003c5a86aff8c39ab40d66f7ac7fcc6ef71cfa7e1d6268bbc23e32aa5cf69df58a5d05f666701f3c0

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libcrypto-3.dll

MD5 72d867e8c7a84374aa72bf7feca4334e
SHA1 bbe4c42beb19a1f23bfbcfc5a67164d5ea29784e
SHA256 17d29b81faea714b5a93008711d92d1329b22244a2e9f56736064caa4fd3cd84
SHA512 b523df6ffe4a51180cdf2bda761b01a521391a6b24e081309c33c91835c19be96015b932d527822f5837802a979a3c48f5cc111892c47c082e8bcb8f2115ac3f

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.cloudbuild.check.rsa

MD5 6a279dd3ba7b1beab9f11d67ce728912
SHA1 9cb0bcc27500bb10bbc9f7a7f46f4bc6148224e4
SHA256 aa0552925308308a73a0f4419f463f63eeadb9cf5cf1f5284ca79f1b2a3f2ed7
SHA512 17e3c134021d1f29a26fd53b7f662ec849e9a56525766c7e6e2b86bed533039973363558b7e199e013d1ab905391b909bb7f483dd45352c3ac19ab9c3101f0ba

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.cloudbuild.check

MD5 8b46922727397a34cd895953b5a26d4b
SHA1 f1c442d9961ef63b5f7a904f1d138d857420a79b
SHA256 8c6bc965ec2ca1a84ba2781ea049bb9b21fedd9d27e7a363e26d53ecb1abb1f4
SHA512 b5e7bffdbd5e844e83a0cc2ce4caaa33902c75ff68c938b914424b5f361789272ba191e6bd263891bed4ee6a5cd9450bef8fba0b09a99c25a2474f17fdf147f4

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.init_setting.ini

MD5 3a3009d863ba303572102ca4215af083
SHA1 b42e344a0f0f0adefe2e4e951e703d85929ac399
SHA256 61131ef61676070346adc61e143348fc8d6b8597305865345f5c104c2a79b14e
SHA512 db65b389ae9c0774d5d5725ad2dea1faf987198995d658af93af54f06376683a4393f71d2707132312a1ab286bd3535f484efe0f2ba2b98200e9afb546148dd8

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRSocketCtrl.dll

MD5 0abd0b462f8e07c20af3719bc672a71c
SHA1 9bac3e016617fb3034e7b24080f200acc337ad17
SHA256 3aeae10915f253166fb4ebf11993ea7e2bccd2583979870633d8db13b3005b7f
SHA512 83063c919b8c6816fdac1c2593eb6e998f996ce1487ebf06f51fa5219d127aa966eb3d1d365d1c7a5369d99d042900c60465aa9d6515a7aef06a2bc70c7eed29

memory/620-238-0x0000000073840000-0x000000007393D000-memory.dmp

memory/620-241-0x00000000736E0000-0x00000000737FC000-memory.dmp

memory/620-244-0x0000000073010000-0x00000000733D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.config.json

MD5 0fc9317cc6646f22cd2c7f0e199d9545
SHA1 eaa78dd9b130958180e76d6d089a9e00bca27694
SHA256 612ebe67185a4385e53a8e965782b22bb60c8ce485092c71e9bec748cd8c4258
SHA512 6fe66730c5b040c95931bf6618a84095131dd550d4a0cf74cd64bd4025e0c5b9e4c59c686b54c386f319ca5a12ae4d2820f62838e649d3a1557006aacb6d3aad

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.splashtop.sostheme

MD5 6a054bcf49a9e9f921bccd287e88a648
SHA1 4f776f06d2b7683c03ebac58ea4ba2cc9d928ed5
SHA256 de48033ef74945b4496d42017450de46d7fddc5f63c80324cda096f648f12edf
SHA512 fac5d10583d6d6cb947a8285abfec7505d5598a3f1eb8465214d77e3d3f41f07ff7244a479a91ca894ec765912dd347ab724c8eaa8c823e62a0a8824d3901b2a

\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe

MD5 d8e1c8358050a62961004beb6d598ec8
SHA1 1c1bc7c986c445d3c9e77b8efac621cb7b2b569c
SHA256 603193ec2b0e96ec483c8eaa92a517b8f685fb72875d2c5bd7c79fb0e5d7c38c
SHA512 cfbc2dde98458831e83e9dcf3ded621a3e1b26f73bac3a743f71923373429e993b9af2e5e1c8b9602e68741a8dc7f0ddea62add1f1a3d5a12b0269ea8c5d55fd

\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe

MD5 fb8af7753cb2a3583d8e5372e295f04d
SHA1 f232d9b86386399a5cf43a4e3247c22ef18b85c6
SHA256 bbc7e13444052825b3ae254c0f4e18660df1a954840a68e37eb70a9e37acf461
SHA512 8a5e8a2e91f4ab94596fa0f57a5d9b61f9e15b8127e84692eedff9e09ab1bc9d2611bc58fca70635ceb2f4b1bffc2c0f0431f61bfbecadfc0dfca7fda0aa5923

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe

MD5 13b2d865ec33421538e2466300e6cfc2
SHA1 d850b3621d8354270a548c2e55fc06379d49ea2c
SHA256 6761e45fa371e19dd77f1ab8cc715a93fa6221031d2b9424cda403728aa41ccb
SHA512 4bdc9eeb71d61ca3db71797a7d923fe9031ef2404cb3a88d41bdc3b2d80d080088cd49b14de2842d0e0593a52e3a9bb9d72e46268745ea7737de789a5c9edc3c

\Users\Admin\AppData\Local\Temp\unpacksos\1\swresample-2.dll

MD5 4a2f597c15ad595cfd83f8a34a0ab07a
SHA1 7f6481be6ddd959adde53251fa7e9283a01f0962
SHA256 5e756f0f1164b7519d2269aa85e43b435b5c7b92e65ed84e6051e75502f31804
SHA512 0e868ad546a6081de76b4a5cdcc7d457b2f0fb7239dc676c17c46a988a02696b12a9c3a85f627c76e6524f9a3ed25f2d9b8e8764d7e18fc708ead4475591946f

\Users\Admin\AppData\Local\Temp\unpacksos\1\avutil-55.dll

MD5 a9a9d31764b50858a01b1fb228406f06
SHA1 7a313c46f049287045992f54f9d6eda9db568ef8
SHA256 c0babd7670124bb298d3ba6a8ee5ae33ad1030c08a18d8b8861f5d83003eb645
SHA512 164d5497aa91a5b4742a291f589400bc0b189af946615a2f04e6cfd1ed598a542f7521e4dd79aab99414846a3c391255309f911c247ef446a0483d9fab6efdfc

memory/2108-269-0x0000000073010000-0x00000000733D4000-memory.dmp

memory/2108-268-0x0000000073840000-0x000000007393D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\splashtop\sos\01_sysinfo.txt

MD5 af2a6d027d817ed6624ac7d46b969366
SHA1 4ae3c7533267a12c94fa9de938b8aa36df53f754
SHA256 cfefcfdbbd4b27f344ea91c7e8d57afddf857f766d017ea3e3b3f9cda0322851
SHA512 82495dff63952535ac2b0055806c84ef973f142107c1c225ab6dc73d08533ce7b8e2eb228380f44cc072792a0346edff72a65690a87815be580a0b24cdc3834e

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe

MD5 e6066e9e4aa21333b30fe304ea32d40a
SHA1 568ae6207f94314590c768d47346231e5118239c
SHA256 0a0b3845d467f3f9abce841a93dda696fe80cd261242cce863d3c6abd92f01cf
SHA512 fdf2f9a348d0b7f38857b87b8c5d0101a57bb4695c17ad8864f92266522879df2d3e6bfc90b2885b8ecc0dd76e317581232b3711611c6ae340b2260749731598

memory/620-307-0x00000000736E0000-0x00000000737FC000-memory.dmp

memory/620-308-0x0000000073010000-0x00000000733D4000-memory.dmp

memory/620-306-0x0000000073840000-0x000000007393D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\db\SRAgent.sqlite3

MD5 af3eb83ac4a73ee01aa747872ec09717
SHA1 59e66cf1d974b5108f2ad169dece57cddfa6878c
SHA256 454949d6d9d626d16efaec3b97ba434b5c9a1f0e712afbb0e51ea2e39b4cf356
SHA512 ac9952905712d6c3546b2f0d953426fa2aec2311abadab44495f5196f873c4460fa21d0797c113621f7e1a3d669017d49a9bef45234025c5b2b9ef664fec390b

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\default.ico

MD5 8cfee57ebb5f1d41a1d293f0786bbad1
SHA1 02f6c748b94b49cb443b7f7b4e3e1e80e5d394a5
SHA256 9fd14605fe06d445b118f401e0556bd6783b9ad30010a932c83f0727df3198b3
SHA512 c271ac4b08eb10e43f7cad2e402bde1a1664506d1586b9c4835a221c11c32153e6ed8edd4782508c91bc651308fc85aab8d2bc7c33a013e55c1e734057d25d37

C:\Windows\Temp\bd2_request_12646d835d4c4ea.bat

MD5 a29bba44ad15b3c4af98a2a6f225362e
SHA1 5c832bf5791af55188249ecfc73e59dca12079c5
SHA256 835fe6050520b6b2c9914570b6195cc87284de00801f5e8e414ea57e4f50543c
SHA512 e6b8195a66e5c2129d8f8dea347950f41f667187109dbf3d7fcf16e5e308efcc669d3a5ea38b47e65f34ff6e9ff7a5bf3513037b62418ab62201b1ece7dd1aef

memory/2108-334-0x0000000073840000-0x000000007393D000-memory.dmp

memory/2108-335-0x00000000736E0000-0x00000000737FC000-memory.dmp

memory/2108-336-0x0000000073010000-0x00000000733D4000-memory.dmp

C:\Windows\Temp\TarE90D.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

\Users\Admin\AppData\Local\Temp\unpacksos\1\libcurl.dll

MD5 278d7f9c9a7526f35e1774cca0059c36
SHA1 423f1ebd3cbd52046a16538d6baa17076610cb2f
SHA256 12177dae5e123526e96023a48752ae0cb47e9f6eeafc20960f5a95ca6052d1b8
SHA512 75f8c4856fb04b2d5e491f32584f0aaefa0d42356e12320cbcb67df48e59c7f644512c2c5146fd7791c2ccb770fd709a8d8e4c72eafb74c39e1336accb49a044

memory/620-365-0x0000000073840000-0x000000007393D000-memory.dmp

memory/620-367-0x0000000073010000-0x00000000733D4000-memory.dmp

memory/620-371-0x0000000072910000-0x00000000729F9000-memory.dmp

memory/620-370-0x00000000736E0000-0x00000000737FC000-memory.dmp

memory/620-369-0x0000000073840000-0x000000007393D000-memory.dmp

memory/620-366-0x00000000736E0000-0x00000000737FC000-memory.dmp

memory/620-379-0x0000000073010000-0x00000000733D4000-memory.dmp

memory/620-380-0x0000000073840000-0x000000007393D000-memory.dmp

memory/620-381-0x00000000736E0000-0x00000000737FC000-memory.dmp

memory/620-384-0x00000000727D0000-0x00000000728B9000-memory.dmp

memory/620-392-0x00000000726E0000-0x00000000727C9000-memory.dmp

memory/2108-393-0x0000000073840000-0x000000007393D000-memory.dmp

memory/2108-395-0x0000000073010000-0x00000000733D4000-memory.dmp

memory/2108-394-0x00000000736E0000-0x00000000737FC000-memory.dmp

memory/620-406-0x00000000726E0000-0x00000000727C9000-memory.dmp

memory/620-416-0x0000000073840000-0x000000007393D000-memory.dmp

memory/620-418-0x0000000073010000-0x00000000733D4000-memory.dmp

memory/620-417-0x00000000736E0000-0x00000000737FC000-memory.dmp

memory/2108-425-0x0000000073840000-0x000000007393D000-memory.dmp

memory/2108-427-0x0000000073010000-0x00000000733D4000-memory.dmp

memory/2108-426-0x00000000736E0000-0x00000000737FC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-28 00:38

Reported

2024-05-28 00:41

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\LOGS\DPX\setupact.log C:\Windows\system32\expand.exe N/A
File opened for modification C:\Windows\LOGS\DPX\setuperr.log C:\Windows\system32\expand.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1868 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe C:\Windows\system32\cmd.exe
PID 1868 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe C:\Windows\system32\cmd.exe
PID 2032 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\expand.exe
PID 2032 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\expand.exe
PID 1868 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe C:\Windows\system32\cmd.exe
PID 1868 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe C:\Windows\system32\cmd.exe
PID 4976 wrote to memory of 884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4976 wrote to memory of 884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1868 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe C:\Windows\system32\cmd.exe
PID 1868 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe C:\Windows\system32\cmd.exe
PID 1788 wrote to memory of 3468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1788 wrote to memory of 3468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1868 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe C:\Windows\system32\cmd.exe
PID 1868 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe C:\Windows\system32\cmd.exe
PID 4896 wrote to memory of 4236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4896 wrote to memory of 4236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1868 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe C:\Windows\system32\cmd.exe
PID 1868 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe C:\Windows\system32\cmd.exe
PID 2436 wrote to memory of 2464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2436 wrote to memory of 2464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1348 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
PID 1348 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
PID 1348 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
PID 2288 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe
PID 2288 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe
PID 2288 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe
PID 2288 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
PID 2288 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
PID 2288 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
PID 2288 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe
PID 2288 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe
PID 2288 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe
PID 2288 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe
PID 2288 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe
PID 2288 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe
PID 4828 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe
PID 4828 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe
PID 4828 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe
PID 2244 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe C:\Windows\SysWOW64\cmd.exe
PID 3708 wrote to memory of 3292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\chcp.com
PID 3708 wrote to memory of 3292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\chcp.com
PID 3708 wrote to memory of 3756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3708 wrote to memory of 3756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3708 wrote to memory of 3756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c C:\Windows\system32\expand.exe *.cab /f:* .\

C:\Windows\system32\expand.exe

C:\Windows\system32\expand.exe *.cab /f:* .\

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1

C:\Windows\system32\schtasks.exe

schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "

C:\Windows\system32\schtasks.exe

schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c schtasks /run /tn ASOS1

C:\Windows\system32\schtasks.exe

schtasks /run /tn ASOS1

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe SRManagerSOS.exe 1

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c schtasks /delete /f /tn ASOS1

C:\Windows\system32\schtasks.exe

schtasks /delete /f /tn ASOS1

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe

"SRManagerSOS.exe"

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe

SRServerSOS.exe -s

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe

"C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe"

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe

"C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe"

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe

"C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe"

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe

SRUtilitySOS.exe -r

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\Temp\bd2_request_132ddaa2722b5b8.bat

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c chcp 65001&&powershell.exe -Command "$Session = New-Object -ComObject Microsoft.Update.Session;$Searcher = $Session.CreateUpdateSearcher();$Res = $Searcher.search(\"IsInstalled = 0 And DeploymentAction=*\");$array = @();foreach($update in $Res.Updates) {$line = \"\" | select kbid, title, desc, updateId, category, severity, important, eulaAccepted, maxSize, minSize, type, releaseDate, rebootRequired;$line.title = $update.Title;$line.desc = $update.Description;$line.updateId = $update.Identity.UpdateID;$line.category = \"\";foreach($category in $update.Categories) { $line.category += \"$($category.CategoryID),\" };$line.kbid = $update.KBArticleIDs -join ' ';$line.severity = $update.MsrcSeverity;$line.important = $update.AutoSelectOnWebSites;$line.eulaAccepted = $update.EulaAccepted;$line.maxSize = $update.MaxDownloadSize;$line.minSize = $update.MinDownloadSize;$line.type = $update.Type;$line.releaseDate = $update.LastDeploymentChangeTime.toString(\"yyyy:MM:dd hh:mm:ss\");$line.rebootRequired = $update.RebootRequired;$array += $line;};ConvertTo-Json $array;"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -Command "$Session = New-Object -ComObject Microsoft.Update.Session;$Searcher = $Session.CreateUpdateSearcher();$Res = $Searcher.search(\"IsInstalled = 0 And DeploymentAction=*\");$array = @();foreach($update in $Res.Updates) {$line = \"\" | select kbid, title, desc, updateId, category, severity, important, eulaAccepted, maxSize, minSize, type, releaseDate, rebootRequired;$line.title = $update.Title;$line.desc = $update.Description;$line.updateId = $update.Identity.UpdateID;$line.category = \"\";foreach($category in $update.Categories) { $line.category += \"$($category.CategoryID),\" };$line.kbid = $update.KBArticleIDs -join ' ';$line.severity = $update.MsrcSeverity;$line.important = $update.AutoSelectOnWebSites;$line.eulaAccepted = $update.EulaAccepted;$line.maxSize = $update.MaxDownloadSize;$line.minSize = $update.MinDownloadSize;$line.type = $update.Type;$line.releaseDate = $update.LastDeploymentChangeTime.toString(\"yyyy:MM:dd hh:mm:ss\");$line.rebootRequired = $update.RebootRequired;$array += $line;};ConvertTo-Json $array;"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 st-lookup-v1-sos-srs-win-3700-g3.api.splashtop.com udp
US 76.223.35.50:443 st-lookup-v1-sos-srs-win-3700-g3.api.splashtop.com tcp
US 8.8.8.8:53 50.35.223.76.in-addr.arpa udp
US 8.8.8.8:53 st-v3-sos-srs-win-3700-g3.api.splashtop.com udp
US 35.71.175.14:443 st-v3-sos-srs-win-3700-g3.api.splashtop.com tcp
US 35.71.175.14:443 st-v3-sos-srs-win-3700-g3.api.splashtop.com tcp
US 8.8.8.8:53 14.175.71.35.in-addr.arpa udp
US 8.8.8.8:53 fe2cr.update.microsoft.com udp
US 52.152.180.153:443 fe2cr.update.microsoft.com tcp
US 35.71.175.14:443 st-v3-sos-srs-win-3700-g3.api.splashtop.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 st-relay-v3-sos-srs-win-3700-g3.api.splashtop.com udp
US 15.197.245.222:443 st-relay-v3-sos-srs-win-3700-g3.api.splashtop.com tcp
US 8.8.8.8:53 download.windowsupdate.com udp
BE 23.14.90.91:80 download.windowsupdate.com tcp
US 8.8.8.8:53 153.180.152.52.in-addr.arpa udp
US 8.8.8.8:53 222.245.197.15.in-addr.arpa udp
US 35.71.175.14:443 st-v3-sos-srs-win-3700-g3.api.splashtop.com tcp
US 8.8.8.8:53 132-145-25-233.relay.splashtop.com udp
GB 132.145.25.233:443 132-145-25-233.relay.splashtop.com tcp
US 8.8.8.8:53 233.25.145.132.in-addr.arpa udp
US 35.71.175.14:443 st-v3-sos-srs-win-3700-g3.api.splashtop.com tcp
US 8.8.8.8:53 140-238-79-99.relay.splashtop.com udp
US 8.8.8.8:53 3-252-149-178.relay.splashtop.com udp
US 8.8.8.8:53 129-151-93-178.relay.splashtop.com udp
US 35.71.175.14:443 st-v3-sos-srs-win-3700-g3.api.splashtop.com tcp
IE 3.252.149.178:443 3-252-149-178.relay.splashtop.com tcp
GB 129.151.93.178:443 129-151-93-178.relay.splashtop.com tcp
GB 140.238.79.99:443 140-238-79-99.relay.splashtop.com tcp
US 8.8.8.8:53 178.93.151.129.in-addr.arpa udp
US 8.8.8.8:53 99.79.238.140.in-addr.arpa udp
US 8.8.8.8:53 178.149.252.3.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
GB 140.238.79.99:443 140-238-79-99.relay.splashtop.com tcp
IE 3.252.149.178:443 3-252-149-178.relay.splashtop.com tcp
GB 129.151.93.178:443 129-151-93-178.relay.splashtop.com tcp
IE 3.252.149.178:443 3-252-149-178.relay.splashtop.com tcp
GB 129.151.93.178:443 129-151-93-178.relay.splashtop.com tcp
GB 140.238.79.99:443 140-238-79-99.relay.splashtop.com tcp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\unpack1.log

MD5 e52e2978c7f6994651ec1cc927e78832
SHA1 8cb2c57e2ae5280e545715e701d47d8fbd4acdf4
SHA256 b7b79688818171b3586992513d57f13d657a5a93f4f6615121089bed564b7d5f
SHA512 898d3bd468d6604060934c8b93f9e8f065b09ffd8eb76b23bd5638f0b523ed863ae817bb3e9ddcd9aaebabf989904b9f2a752ccbceed43629b187885f167cb4a

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\streamer1.cab

MD5 ee7c1fa035cac997ff78b2a8d77b19c3
SHA1 9ed41bd57a4af443ed246693da7b66a96c181cb3
SHA256 ad125dfb7cea109cd265c27e70db7c1fd334b491d3e6c261caf9416c37e117af
SHA512 ef9eac2b09b130993561975a96a7941710ab4781271ce5e9618f085c283df8988f83f05070100251f36660b172853b96bff2c5bd65817686d3476e4fc2217f84

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRClient.pem

MD5 a8b2b3d6c831f120ce624cff48156558
SHA1 202db3bd86f48c2a8779d079716b8cc5363edece
SHA256 33fe8889070b91c3c2e234db8494fcc174ecc69cfff3d0bc4f6a59b39c500484
SHA512 3b1fc8910b462ea2e3080418428795ca63075163e1e42a7136fa688aa2e130f5d3088ab27d18395c8c0a4d76bdc5ed95356255b8c29d49116e4743d269c97bf9

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\ASOS.xml

MD5 8ce869f7dbbb2e38c8de76716e49b8a5
SHA1 de73a6b80fca67b06a7e1fec1904095d61b7b864
SHA256 1008bce6f93a3863164b0fea34bea07bd6ce304dffafac5615dc52bbb675bd47
SHA512 98afa1fe513beb31bca44e56fe40f0a049d3bb0ccc7cf4997b8fb2631774131c7232072e733674a3ed6771201d53788e94d595e8254a5ffc4d6cc45ff93417af

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe

MD5 2def326d4f3ad50a7abb0f20944405fc
SHA1 c99b7a01019992e4180a5a9d67a8f30a5bda46d7
SHA256 ed259409860bc916cc26af1fcb8de0fb455607dd1056d3e530c29614435c3092
SHA512 43bf3d1958d1bb1bbeecfff70ca7309509af2ec346763e92521c128b786ce8c6063a5339693ad129966965d926107eaeddc9de9abd9bf0c2580bd3ec2ab3ceb4

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe

MD5 c99c8787347caef751fba46a2bc529fc
SHA1 6c2051fa486b673b9ffd01dae98ae6ec263be390
SHA256 ad072ff07a42bcd2e09023024ee87a9803373a17e41926f90463a9350877cf20
SHA512 99bd7d6589a56ffdb50b498198254fea1333753f179ee042f9dc3d248bb3ff7c3d613353015ad145308d7f67376b85154a725f17ff6b0a513668a23e23caa5a5

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\dbghelp.dll

MD5 eeda10135ede6edb5c85df3bd878e557
SHA1 8a1059dfd641269945e7a2710b684881bb63e8d2
SHA256 4b890de3708716d81c1c719b498734339d417e8ffc4955d81483d1ebc0f84697
SHA512 a56bfc73537e36efba8e09ffd0b2f6bfc56bc4cb4fe90b52858c7afd5d67db23ccba51c8097befe4ecb5082ba66c2b2612e2975ef3448252c48b97f41d12d591

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe

MD5 3e76e9316ef4786a23fb89f0c2b675ae
SHA1 b97760551fbaf04f95efb41fb5e6223327fac922
SHA256 a3e723d732b9ba96fb6d639ae3ac38e90e7b8039bd575814c57ca76d0f95a7af
SHA512 5a78f1cc980c3da7e5f844282c23f724c70ec8ed48ccafb2c39e4fc3f183e4660ff263bc2036f493587142098e180a1ac452ff32036a31ac71729db5a248049d

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\stprinterx.cat

MD5 1d56a3f8d7f5dab184a8cc4feddaa173
SHA1 75d291cb96fdc05d54c962f1cb08796ee439b22f
SHA256 84e1a32b4975e92477cf6a36d8931921da735ef988e0c09a2b056f2904541b1e
SHA512 fb58167a98d9309a703f06d5c6414ab707b37e90a26bfc1c0812b10381c116fa6c7c26ac30fc8570b8f87186775bc64e7af6d409a7d213fc3b4b76b0b7a76fb6

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\stprinter.cat

MD5 2dac6568b843ebdc5c98598ca32918be
SHA1 e7740e4be7f71a82adbb6e5224d33534e237614c
SHA256 eb61a0e06bf8c69597f9bb1909e3eb4f926e49800c3f9721fda3007993da5ee7
SHA512 1bc8aa82e68911f5ee1835d19cf49a736c1c35c2f6b4fcd48c3c6fcf7ff6958400d1e815c5e891e172af9035232175bb00e8a21f5a0590f02dc683f45a6c3d8b

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libssl-3.dll

MD5 99a6a9656da926af8aa648d50b47dcfb
SHA1 81db96003bd8f63250abc7e59fb35e0227d3f28a
SHA256 fdf1f9d0af4ff8e5cbd4387d6849327e91f0eedd1befe58d7dd8b6ec40e90a98
SHA512 16e850fdabf76a11ed4176e0fd57dafb64faf9551ea220d003c5a86aff8c39ab40d66f7ac7fcc6ef71cfa7e1d6268bbc23e32aa5cf69df58a5d05f666701f3c0

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libcrypto-3.dll

MD5 72d867e8c7a84374aa72bf7feca4334e
SHA1 bbe4c42beb19a1f23bfbcfc5a67164d5ea29784e
SHA256 17d29b81faea714b5a93008711d92d1329b22244a2e9f56736064caa4fd3cd84
SHA512 b523df6ffe4a51180cdf2bda761b01a521391a6b24e081309c33c91835c19be96015b932d527822f5837802a979a3c48f5cc111892c47c082e8bcb8f2115ac3f

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.init_setting.ini

MD5 3a3009d863ba303572102ca4215af083
SHA1 b42e344a0f0f0adefe2e4e951e703d85929ac399
SHA256 61131ef61676070346adc61e143348fc8d6b8597305865345f5c104c2a79b14e
SHA512 db65b389ae9c0774d5d5725ad2dea1faf987198995d658af93af54f06376683a4393f71d2707132312a1ab286bd3535f484efe0f2ba2b98200e9afb546148dd8

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRSocketCtrl.dll

MD5 0abd0b462f8e07c20af3719bc672a71c
SHA1 9bac3e016617fb3034e7b24080f200acc337ad17
SHA256 3aeae10915f253166fb4ebf11993ea7e2bccd2583979870633d8db13b3005b7f
SHA512 83063c919b8c6816fdac1c2593eb6e998f996ce1487ebf06f51fa5219d127aa966eb3d1d365d1c7a5369d99d042900c60465aa9d6515a7aef06a2bc70c7eed29

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.cloudbuild.check.rsa

MD5 6a279dd3ba7b1beab9f11d67ce728912
SHA1 9cb0bcc27500bb10bbc9f7a7f46f4bc6148224e4
SHA256 aa0552925308308a73a0f4419f463f63eeadb9cf5cf1f5284ca79f1b2a3f2ed7
SHA512 17e3c134021d1f29a26fd53b7f662ec849e9a56525766c7e6e2b86bed533039973363558b7e199e013d1ab905391b909bb7f483dd45352c3ac19ab9c3101f0ba

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.cloudbuild.check

MD5 8b46922727397a34cd895953b5a26d4b
SHA1 f1c442d9961ef63b5f7a904f1d138d857420a79b
SHA256 8c6bc965ec2ca1a84ba2781ea049bb9b21fedd9d27e7a363e26d53ecb1abb1f4
SHA512 b5e7bffdbd5e844e83a0cc2ce4caaa33902c75ff68c938b914424b5f361789272ba191e6bd263891bed4ee6a5cd9450bef8fba0b09a99c25a2474f17fdf147f4

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.splashtop.sostheme

MD5 6a054bcf49a9e9f921bccd287e88a648
SHA1 4f776f06d2b7683c03ebac58ea4ba2cc9d928ed5
SHA256 de48033ef74945b4496d42017450de46d7fddc5f63c80324cda096f648f12edf
SHA512 fac5d10583d6d6cb947a8285abfec7505d5598a3f1eb8465214d77e3d3f41f07ff7244a479a91ca894ec765912dd347ab724c8eaa8c823e62a0a8824d3901b2a

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.config.json

MD5 0fc9317cc6646f22cd2c7f0e199d9545
SHA1 eaa78dd9b130958180e76d6d089a9e00bca27694
SHA256 612ebe67185a4385e53a8e965782b22bb60c8ce485092c71e9bec748cd8c4258
SHA512 6fe66730c5b040c95931bf6618a84095131dd550d4a0cf74cd64bd4025e0c5b9e4c59c686b54c386f319ca5a12ae4d2820f62838e649d3a1557006aacb6d3aad

memory/2288-220-0x0000000072450000-0x000000007256C000-memory.dmp

memory/2288-219-0x00000000725A0000-0x000000007269D000-memory.dmp

memory/2288-221-0x0000000072080000-0x0000000072444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe

MD5 d8e1c8358050a62961004beb6d598ec8
SHA1 1c1bc7c986c445d3c9e77b8efac621cb7b2b569c
SHA256 603193ec2b0e96ec483c8eaa92a517b8f685fb72875d2c5bd7c79fb0e5d7c38c
SHA512 cfbc2dde98458831e83e9dcf3ded621a3e1b26f73bac3a743f71923373429e993b9af2e5e1c8b9602e68741a8dc7f0ddea62add1f1a3d5a12b0269ea8c5d55fd

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe

MD5 fb8af7753cb2a3583d8e5372e295f04d
SHA1 f232d9b86386399a5cf43a4e3247c22ef18b85c6
SHA256 bbc7e13444052825b3ae254c0f4e18660df1a954840a68e37eb70a9e37acf461
SHA512 8a5e8a2e91f4ab94596fa0f57a5d9b61f9e15b8127e84692eedff9e09ab1bc9d2611bc58fca70635ceb2f4b1bffc2c0f0431f61bfbecadfc0dfca7fda0aa5923

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\default.ico

MD5 8cfee57ebb5f1d41a1d293f0786bbad1
SHA1 02f6c748b94b49cb443b7f7b4e3e1e80e5d394a5
SHA256 9fd14605fe06d445b118f401e0556bd6783b9ad30010a932c83f0727df3198b3
SHA512 c271ac4b08eb10e43f7cad2e402bde1a1664506d1586b9c4835a221c11c32153e6ed8edd4782508c91bc651308fc85aab8d2bc7c33a013e55c1e734057d25d37

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe

MD5 13b2d865ec33421538e2466300e6cfc2
SHA1 d850b3621d8354270a548c2e55fc06379d49ea2c
SHA256 6761e45fa371e19dd77f1ab8cc715a93fa6221031d2b9424cda403728aa41ccb
SHA512 4bdc9eeb71d61ca3db71797a7d923fe9031ef2404cb3a88d41bdc3b2d80d080088cd49b14de2842d0e0593a52e3a9bb9d72e46268745ea7737de789a5c9edc3c

memory/2244-240-0x00000000725A0000-0x000000007269D000-memory.dmp

memory/2244-243-0x0000000072450000-0x000000007256C000-memory.dmp

memory/2244-246-0x0000000072080000-0x0000000072444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\swresample-2.dll

MD5 4a2f597c15ad595cfd83f8a34a0ab07a
SHA1 7f6481be6ddd959adde53251fa7e9283a01f0962
SHA256 5e756f0f1164b7519d2269aa85e43b435b5c7b92e65ed84e6051e75502f31804
SHA512 0e868ad546a6081de76b4a5cdcc7d457b2f0fb7239dc676c17c46a988a02696b12a9c3a85f627c76e6524f9a3ed25f2d9b8e8764d7e18fc708ead4475591946f

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\avutil-55.dll

MD5 a9a9d31764b50858a01b1fb228406f06
SHA1 7a313c46f049287045992f54f9d6eda9db568ef8
SHA256 c0babd7670124bb298d3ba6a8ee5ae33ad1030c08a18d8b8861f5d83003eb645
SHA512 164d5497aa91a5b4742a291f589400bc0b189af946615a2f04e6cfd1ed598a542f7521e4dd79aab99414846a3c391255309f911c247ef446a0483d9fab6efdfc

C:\Users\Admin\AppData\Local\Temp\splashtop\sos\01_sysinfo.txt

MD5 99b92e1dc84395538123964651e62043
SHA1 65192b0f256659a0a73618cba9b044c561af1a02
SHA256 0737025295e9a0680447f4d571cb5601e85662b47bef78e7991a1ad4af7164c9
SHA512 28bf0f1cfe4014f55d1e6e703d43516db77e99ac1f6d5ee7ec811c925dc953f73b445582df7337e1f9c7fc648efdac38c91abe2f9db271e10f43d3afe5223d1e

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe

MD5 e6066e9e4aa21333b30fe304ea32d40a
SHA1 568ae6207f94314590c768d47346231e5118239c
SHA256 0a0b3845d467f3f9abce841a93dda696fe80cd261242cce863d3c6abd92f01cf
SHA512 fdf2f9a348d0b7f38857b87b8c5d0101a57bb4695c17ad8864f92266522879df2d3e6bfc90b2885b8ecc0dd76e317581232b3711611c6ae340b2260749731598

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\db\SRAgent.sqlite3

MD5 4a404aab1a1a186a733e7fc007a1f51a
SHA1 b041441e86cc70942c8ce9af3b30bb9af6d2eca4
SHA256 33164e94be4227d974959199486c9a07ba79a32aade14faed20a9b20da590381
SHA512 a0d10fc717c161865eb7abb12ad6c468f9359011b3b1b30c9f86f75187f0b166ab372b31a1d1ae12a34c0ce7a64125df21acc297e44a3c416e69d79b85b7b2b6

C:\Windows\Temp\bd2_request_132ddaa2722b5b8.bat

MD5 81cc068c9b8f5c7df7f2467fe5d67a58
SHA1 0eca247e416199cfc36d5b4b7f816e950561aded
SHA256 1c473fe685e6d8912087ec042e48c0a8f03679519f697271bd9a92ede138e225
SHA512 0f1839f1a69c4bc9136d6167e577dd6ad0616b13158a45e82c53f9f2f9cfd1e7caa390ab77aba03fb2219a95b3e2ac25a2d021557a2cee061f081499a09d5f0c

memory/3756-310-0x00000000029C0000-0x00000000029F6000-memory.dmp

memory/3756-311-0x0000000005090000-0x00000000056B8000-memory.dmp

memory/3756-314-0x0000000004FF0000-0x0000000005012000-memory.dmp

memory/3756-315-0x00000000058F0000-0x0000000005956000-memory.dmp

memory/3756-316-0x0000000005960000-0x00000000059C6000-memory.dmp

C:\Windows\Temp\__PSScriptPolicyTest_uh34vqk1.se5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3756-326-0x00000000059D0000-0x0000000005D24000-memory.dmp

memory/3756-327-0x0000000005FB0000-0x0000000005FCE000-memory.dmp

memory/3756-328-0x0000000005FD0000-0x000000000601C000-memory.dmp

memory/3756-330-0x00000000078F0000-0x0000000007F6A000-memory.dmp

memory/3756-331-0x00000000064D0000-0x00000000064EA000-memory.dmp

memory/2288-334-0x0000000072450000-0x000000007256C000-memory.dmp

memory/2288-333-0x00000000725A0000-0x000000007269D000-memory.dmp

memory/2288-335-0x0000000072080000-0x0000000072444000-memory.dmp

memory/2244-338-0x00000000725A0000-0x000000007269D000-memory.dmp

memory/2244-340-0x0000000072080000-0x0000000072444000-memory.dmp

memory/2244-339-0x0000000072450000-0x000000007256C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SROpus.dll

MD5 7c3b0175c350e6aea7c5f4f331fb7457
SHA1 46fe50380b66c64a98b08017dc0d8566d9b22847
SHA256 a83cdfc6addac319e9cf2f950958db790ca430f96d900b5205828ebe9b2829a8
SHA512 4b3972eb174ae834b39f34d51d19aca9eace14cacc54d0314dfbde8b38c2a0514e81b5861bee9cf8465313f6b98db31b0c2d314b052cc8f5cdf58c7af7e61aac

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOSNoUIA.exe

MD5 b591229685ad17957bb2a159c2a4b78b
SHA1 42f0f661f7339f879311c48d687a5ad8b562a220
SHA256 4c241f9525bbf33f48771c647a56ffe1b3749ec81942044db25a08b0c400cffb
SHA512 f80594e3741e12cb0fcadc2ab04ef019338f68b9f60771d51d05b406ff16314a041643044067cd846050b62c8642fde252c7c88e7df3641e200d4ff8aad2cc0c

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRChatSOS.exe

MD5 549032ab1dabfe314669a9ff425ee57a
SHA1 37f881e80e7424732c630f50b49461a5297e9081
SHA256 aab91021230e5786711b1b862d0c41c3c48c9079ba143cb4bd4f6a49e99fa0e8
SHA512 83720e5698a8df49518d9281af33c4b67f14a04c01dcc2c1bef10deb4d4360942199a2451ee784df562c9f557f9080772c7c259d7377dd33b7f38e87ceebafc6

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAudioResample.dll

MD5 69dc934d7754b48537b81ae7b59c07c8
SHA1 bd1325d4c0047da750caffb7dc6d49ede912ac4a
SHA256 72945a21013d192a36c7c339e52e7e7341a6c99f36d67ebdffa360874063defe
SHA512 aa8140c29748ed7ab46050b49beee9a0f46ab08ae9fc2461631c06ab005d57c50ad1b3409643d11f69a671c1891a94550cce80407cd2e58a2d053d2c3cd7cbe1

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAudioChatSOS.exe

MD5 fa0ed79ba4dc1468e9cfee937fea11f2
SHA1 180786db516284c60070eba4f14159316eacce1c
SHA256 a83172a8bbb9317b945154cc6ec66440ded7a181998359711bd08023870f76a4
SHA512 19c18f7c3db7b4683c5ba999e21d95975ea40622d98b3b20a7d5f9c4e9d38426d6db0df365c4e9fefb04f7e3365cf57c4b328b4d714dae5baea9a1c14024baf9

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppSOS.exe

MD5 b08752b3b3192966d5808864899f782a
SHA1 3e5609d69b49932f5e34dd297276b5b5dd79ba42
SHA256 e15048013473076c144d4326fa5bccd8abaf6479a33bf8cfdea2ab0cf4b01a0c
SHA512 2c57c66f50dfa77456f70f07aa235964fd71925c149f2b0baaa2933a7b75c53fc4c09e9703c094357a4562eb89e358f2730d58f686758a7b27d39e27f1076722

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\reboot.bat

MD5 abe8e3568b6d951e7dd395da46531932
SHA1 304d81c1b48e16533ef691a9c965818136b9583c
SHA256 eb700422c31c15757a6c70141274a184d291aac3bde191a964f75a90bc084143
SHA512 19a79d90883103302bddbac8a765c6a5196fb78c223d911633285b4ba44ebffa9c64690102498e3bef5991dba0f28847473a44d4f9aa7d637a4c4d3f1efea12e

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\QuicServer.key

MD5 af1e2edc77bcb6492fdd5beb390b6abe
SHA1 0f6b7c8876a578cd5361bcc477869528a7b38a3e
SHA256 f574628bf3b3c81c75ea9351d50b5c474770b65eaaa5e16d0452863a16f4486a
SHA512 b56bd491fe24134d5a1612e41e84ac064df722efcb9598f115dafc631889ce8ff4e6f3b9aef13b70b349e7e398874eeb955c9af045d968b31b2de0fe1806ab2c

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\QuicServer.cert

MD5 3ad94236a2d87443f211c0c8c917af9f
SHA1 c9c9fd2a800075d3313b962db35d978cc485a3d0
SHA256 a7cfacf48d677de09e155204bc5a6b310b06a0bfc8b02c6ae6e916fec3addde6
SHA512 9c549ea6a62d7ee4115944c8beb18631e7a313a630460777b6a32df2c9725a018562386183b3e0d85755ff95c5e2dbfaeecaf2744b0ccb0dbe4e2c5b314c610f

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\p_unmount.bat

MD5 fa3c191799254e542687f1f5d0974bc5
SHA1 dc85aac2aa31cd3de9017e7e099581457ad4fbf2
SHA256 347b12e6e2fc79e2a3668625341d7642d531159ffe5b01ab2bc5469e0efc6b3f
SHA512 635689814e63084910541ba68fe8ade8fdfbc3d0100afd61ddd13d07e61f3478ba75e4d24aa7b26df21a3e46c4ed2b1c8789520c5634cac63cfe32dcb1e8686e

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\p_mount.bat

MD5 88e59700f53de95d2847b9687764be30
SHA1 cd5780dbf1c711b9c28dc001f4149ba3251becf7
SHA256 b085f4e0d6a7a4dc967c96d7c318cb749bc497135fd9e35d7ad0c88e6c53f577
SHA512 6e7d2fd4cf87b63bab39e225362ecbe60f52fab0da42c97834b8ea59d653cdbd06b98e2c490c5465b1999af2f7869f729cbfc34e55d5ecc768d85d48b9874374

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libx264-116.dll

MD5 8e6ec55a95198bfcce99b73bfe02382e
SHA1 7fc7987cd20030152739549400f1704fe998b36a
SHA256 f89f364ef61da19971e6bd83fe52c8c25c9c8aa60c80acb5b69d2995d5de56d6
SHA512 efe60eb429d8f70d80300a067c119c69419ad6aedb0ea787f91b241dac3d7e863734a6245bb8b88f2bf327ae173c1453b104a6e9e15901ee74a17c6a148d10d3

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libcurl.dll

MD5 278d7f9c9a7526f35e1774cca0059c36
SHA1 423f1ebd3cbd52046a16538d6baa17076610cb2f
SHA256 12177dae5e123526e96023a48752ae0cb47e9f6eeafc20960f5a95ca6052d1b8
SHA512 75f8c4856fb04b2d5e491f32584f0aaefa0d42356e12320cbcb67df48e59c7f644512c2c5146fd7791c2ccb770fd709a8d8e4c72eafb74c39e1336accb49a044

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libcelt-0.dll

MD5 d67c971bfe675aada6ad8368e6148b88
SHA1 11500abbb177b4f88d7005731b541e131ddf21e8
SHA256 1fe6438ff3bd14994366f17d902a86a574ed15c4fa8eeb8181f2bb0597778fa7
SHA512 16b8bc0071aae9a1f20720109d81a8ede52c677c5d3bf77ec18a77a301ec1e8d3fc7a826e094d4a601810245cb985e36ac207af8ad5c9bfd541b2d4e3f667825

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\legacy.dll

MD5 cf52dbefbe8bc2dcd493cdbf050048e1
SHA1 aed132b049c77fd77645d07b443e1b4e96cb5e51
SHA256 8080e398edc43e652c0a104f62ad3c865e9bdc75c2e3936870deaf43fedbc3a4
SHA512 75133444a893002b9933eb3a44b66cd862fedc9c05579b188eb250bbc3cc00c61533fb3aa58a1d9b89b45f83cff8a3b02cb0fb605b299e0e7bace13b99020207

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\legacy.cnf

MD5 a43b7d72b482d48804b377d8832c2693
SHA1 b1598efda8e9863f520abef9aaa942c313c002fd
SHA256 9acde3809e2c02fe5d6c59153aefffe6628996ec5cfb7c2385865dcd1ec8be7e
SHA512 f0777a8f79e70f8a12f531c3e77f5241e9ed46acc6a1cbf06ff7a29d91ee281e4cd2a9c1832642992fe74d33b052670f85439e5925fdb7c44de60014e53712da

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\fips.dll

MD5 68d8d459ee6a5027ffe35302b21d66fa
SHA1 91299e1ff75b293a18105fbdfcb2cde92a6c8507
SHA256 0ef5739fcc3850411e1db6af2e194e25c7e473bb950a387a7c851fe02660b4e8
SHA512 c032e6c057da58374ff51b50b2146e4b27eb6a18a452668eb2c78e3f4e729399f303873a2dc40f5910826a4f23146dfb851b62df3d5948a9039ec6ed23e53b32

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\fips.cnf

MD5 e077993e994d28bbc7502681280c5551
SHA1 9c3b360f9e81ccf8c8b56be25e4ce9d67d1f61b4
SHA256 b8d539255fb1ea42ee3b06f0e314b037e35701e2b258272889d866dd3419526b
SHA512 b2fed3539bd94999f9f9a2cfebac6a3632212c10f3d97a5129e444fc548d1685877d0810790b71d342a4ef9080d1efc73bf7a9493b5ccbd93232231ee2251abe

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Acknowledgements.htm

MD5 ab3d7c0401590bbdaf4b3c84592d24d6
SHA1 756f86b49ca2035638f77bbeb60cfe6a827b553e
SHA256 4428a8b3f1a63312918ff5f8e1d5ee1f6eeba9d73a336721338d494d2b6e5f6c
SHA512 24aac8d02347ef3e226531ca15b71714cb53546c7aa1b4d961a72e097c3528ae2590b00ecbaa7e80815e99fafb6919d234e957dfcd08467cd753b24c004b6124

memory/2288-369-0x00000000725A0000-0x000000007269D000-memory.dmp

memory/3756-371-0x0000000006F90000-0x0000000006FA8000-memory.dmp

memory/2288-372-0x0000000072080000-0x0000000072444000-memory.dmp

memory/3756-373-0x0000000007600000-0x00000000077C2000-memory.dmp

memory/2288-370-0x0000000072450000-0x000000007256C000-memory.dmp

memory/3756-374-0x000000000A2E0000-0x000000000A80C000-memory.dmp