Analysis Overview
SHA256
3cea5fa48fe5f9d3e6e7e6249277dcbeef2f558bcee1395947070cf9425bcee1
Threat Level: Likely malicious
The file 2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid was found to be: Likely malicious.
Malicious Activity Summary
UPX dump on OEP (original entry point)
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Drops file in System32 directory
Checks computer location settings
Checks installed software on the system
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-28 00:38
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-28 00:38
Reported
2024-05-28 00:41
Platform
win7-20240221-en
Max time kernel
150s
Max time network
134s
Command Line
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
Checks installed software on the system
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\DPX\setupact.log | C:\Windows\system32\expand.exe | N/A |
| File opened for modification | C:\Windows\Logs\DPX\setuperr.log | C:\Windows\system32\expand.exe | N/A |
| File opened for modification | C:\Windows\WindowsUpdate.log | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name = "SRFeatureSOS.exe" | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\GDIPlus\FontCachePath = "C:\\Users\\Admin\\AppData\\Local" | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\GDIPlus | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee404000000010000001000000091de0625abdafd32170cbb25172a846720000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c C:\Windows\system32\expand.exe *.cab /f:* .\
C:\Windows\system32\expand.exe
C:\Windows\system32\expand.exe *.cab /f:* .\
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1
C:\Windows\system32\schtasks.exe
schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "
C:\Windows\system32\schtasks.exe
schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c schtasks /run /tn ASOS1
C:\Windows\system32\schtasks.exe
schtasks /run /tn ASOS1
C:\Windows\system32\taskeng.exe
taskeng.exe {8351FEA9-1A63-44EE-8AB2-B982BC4F4E6E} S-1-5-18:NT AUTHORITY\System:Service:
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c schtasks /delete /f /tn ASOS1
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe SRManagerSOS.exe 1
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn ASOS1
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
"SRManagerSOS.exe"
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe
SRServerSOS.exe -s
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
"C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe"
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe
"C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe"
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe
"C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe"
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe
SRUtilitySOS.exe -r
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\Temp\bd2_request_12646d835d4c4ea.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | st-lookup-v1-sos-srs-win-3700-g3.api.splashtop.com | udp |
| US | 76.223.35.50:443 | st-lookup-v1-sos-srs-win-3700-g3.api.splashtop.com | tcp |
| US | 8.8.8.8:53 | st-lookup-v1-sos-srs-win-3700-g3.api.splashtop.com | udp |
| US | 8.8.8.8:53 | st-lookup-v1-sos-srs-win-3700.api.splashtop.com | udp |
| US | 35.71.177.13:443 | st-lookup-v1-sos-srs-win-3700.api.splashtop.com | tcp |
| US | 8.8.8.8:53 | st-v3-sos-srs-win-3700.api.splashtop.com | udp |
| US | 52.223.22.239:443 | st-v3-sos-srs-win-3700.api.splashtop.com | tcp |
| US | 8.8.8.8:53 | st-relay-v3-sos-srs-win-3700.api.splashtop.com | udp |
| US | 15.197.131.212:443 | st-relay-v3-sos-srs-win-3700.api.splashtop.com | tcp |
| US | 8.8.8.8:53 | 132-145-25-233.relay.splashtop.com | udp |
| GB | 132.145.25.233:443 | 132-145-25-233.relay.splashtop.com | tcp |
| US | 8.8.8.8:53 | 129-151-93-178.relay.splashtop.com | udp |
| GB | 129.151.93.178:443 | 129-151-93-178.relay.splashtop.com | tcp |
| US | 8.8.8.8:53 | 3-252-149-178.relay.splashtop.com | udp |
| US | 8.8.8.8:53 | 132-145-44-219.relay.splashtop.com | udp |
| GB | 132.145.44.219:443 | 132-145-44-219.relay.splashtop.com | tcp |
| IE | 3.252.149.178:443 | 3-252-149-178.relay.splashtop.com | tcp |
| N/A | 127.0.0.1:49575 | tcp | |
| N/A | 127.0.0.1:49577 | tcp | |
| N/A | 127.0.0.1:49579 | tcp | |
| GB | 132.145.44.219:443 | 132-145-44-219.relay.splashtop.com | tcp |
| GB | 129.151.93.178:443 | 129-151-93-178.relay.splashtop.com | tcp |
| IE | 3.252.149.178:443 | 3-252-149-178.relay.splashtop.com | tcp |
| N/A | 127.0.0.1:49603 | tcp | |
| N/A | 127.0.0.1:49605 | tcp | |
| N/A | 127.0.0.1:49609 | tcp | |
| IE | 3.252.149.178:443 | 3-252-149-178.relay.splashtop.com | tcp |
| GB | 129.151.93.178:443 | 129-151-93-178.relay.splashtop.com | tcp |
| GB | 132.145.44.219:443 | 132-145-44-219.relay.splashtop.com | tcp |
| N/A | 127.0.0.1:49620 | tcp | |
| N/A | 127.0.0.1:49622 | tcp | |
| N/A | 127.0.0.1:49624 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\unpack1.log
| MD5 | 6db79f489c5eea155cfa109f38fb4f93 |
| SHA1 | 37afeead44380c42d85341f419968a5402745d93 |
| SHA256 | f08612dcdc61237ea54aad93c31f7afd091680e275cf82a9c1a7994cc6f089ba |
| SHA512 | c3ecd91618e92d0586e9e96bad2458d15e0c16e0a0c14122c5c0375bd50e9650b91b4daeb6b7f61f5f82a0d83fa64061e69860da77817972d3c6893d704986a5 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\streamer1.cab
| MD5 | ee7c1fa035cac997ff78b2a8d77b19c3 |
| SHA1 | 9ed41bd57a4af443ed246693da7b66a96c181cb3 |
| SHA256 | ad125dfb7cea109cd265c27e70db7c1fd334b491d3e6c261caf9416c37e117af |
| SHA512 | ef9eac2b09b130993561975a96a7941710ab4781271ce5e9618f085c283df8988f83f05070100251f36660b172853b96bff2c5bd65817686d3476e4fc2217f84 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRClient.pem
| MD5 | a8b2b3d6c831f120ce624cff48156558 |
| SHA1 | 202db3bd86f48c2a8779d079716b8cc5363edece |
| SHA256 | 33fe8889070b91c3c2e234db8494fcc174ecc69cfff3d0bc4f6a59b39c500484 |
| SHA512 | 3b1fc8910b462ea2e3080418428795ca63075163e1e42a7136fa688aa2e130f5d3088ab27d18395c8c0a4d76bdc5ed95356255b8c29d49116e4743d269c97bf9 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\ASOS.xml
| MD5 | 8ce869f7dbbb2e38c8de76716e49b8a5 |
| SHA1 | de73a6b80fca67b06a7e1fec1904095d61b7b864 |
| SHA256 | 1008bce6f93a3863164b0fea34bea07bd6ce304dffafac5615dc52bbb675bd47 |
| SHA512 | 98afa1fe513beb31bca44e56fe40f0a049d3bb0ccc7cf4997b8fb2631774131c7232072e733674a3ed6771201d53788e94d595e8254a5ffc4d6cc45ff93417af |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe
| MD5 | 2def326d4f3ad50a7abb0f20944405fc |
| SHA1 | c99b7a01019992e4180a5a9d67a8f30a5bda46d7 |
| SHA256 | ed259409860bc916cc26af1fcb8de0fb455607dd1056d3e530c29614435c3092 |
| SHA512 | 43bf3d1958d1bb1bbeecfff70ca7309509af2ec346763e92521c128b786ce8c6063a5339693ad129966965d926107eaeddc9de9abd9bf0c2580bd3ec2ab3ceb4 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe
| MD5 | 3e76e9316ef4786a23fb89f0c2b675ae |
| SHA1 | b97760551fbaf04f95efb41fb5e6223327fac922 |
| SHA256 | a3e723d732b9ba96fb6d639ae3ac38e90e7b8039bd575814c57ca76d0f95a7af |
| SHA512 | 5a78f1cc980c3da7e5f844282c23f724c70ec8ed48ccafb2c39e4fc3f183e4660ff263bc2036f493587142098e180a1ac452ff32036a31ac71729db5a248049d |
\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
| MD5 | c99c8787347caef751fba46a2bc529fc |
| SHA1 | 6c2051fa486b673b9ffd01dae98ae6ec263be390 |
| SHA256 | ad072ff07a42bcd2e09023024ee87a9803373a17e41926f90463a9350877cf20 |
| SHA512 | 99bd7d6589a56ffdb50b498198254fea1333753f179ee042f9dc3d248bb3ff7c3d613353015ad145308d7f67376b85154a725f17ff6b0a513668a23e23caa5a5 |
\Users\Admin\AppData\Local\Temp\unpacksos\1\dbghelp.dll
| MD5 | eeda10135ede6edb5c85df3bd878e557 |
| SHA1 | 8a1059dfd641269945e7a2710b684881bb63e8d2 |
| SHA256 | 4b890de3708716d81c1c719b498734339d417e8ffc4955d81483d1ebc0f84697 |
| SHA512 | a56bfc73537e36efba8e09ffd0b2f6bfc56bc4cb4fe90b52858c7afd5d67db23ccba51c8097befe4ecb5082ba66c2b2612e2975ef3448252c48b97f41d12d591 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libssl-3.dll
| MD5 | 99a6a9656da926af8aa648d50b47dcfb |
| SHA1 | 81db96003bd8f63250abc7e59fb35e0227d3f28a |
| SHA256 | fdf1f9d0af4ff8e5cbd4387d6849327e91f0eedd1befe58d7dd8b6ec40e90a98 |
| SHA512 | 16e850fdabf76a11ed4176e0fd57dafb64faf9551ea220d003c5a86aff8c39ab40d66f7ac7fcc6ef71cfa7e1d6268bbc23e32aa5cf69df58a5d05f666701f3c0 |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libcrypto-3.dll
| MD5 | 72d867e8c7a84374aa72bf7feca4334e |
| SHA1 | bbe4c42beb19a1f23bfbcfc5a67164d5ea29784e |
| SHA256 | 17d29b81faea714b5a93008711d92d1329b22244a2e9f56736064caa4fd3cd84 |
| SHA512 | b523df6ffe4a51180cdf2bda761b01a521391a6b24e081309c33c91835c19be96015b932d527822f5837802a979a3c48f5cc111892c47c082e8bcb8f2115ac3f |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.cloudbuild.check.rsa
| MD5 | 6a279dd3ba7b1beab9f11d67ce728912 |
| SHA1 | 9cb0bcc27500bb10bbc9f7a7f46f4bc6148224e4 |
| SHA256 | aa0552925308308a73a0f4419f463f63eeadb9cf5cf1f5284ca79f1b2a3f2ed7 |
| SHA512 | 17e3c134021d1f29a26fd53b7f662ec849e9a56525766c7e6e2b86bed533039973363558b7e199e013d1ab905391b909bb7f483dd45352c3ac19ab9c3101f0ba |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.cloudbuild.check
| MD5 | 8b46922727397a34cd895953b5a26d4b |
| SHA1 | f1c442d9961ef63b5f7a904f1d138d857420a79b |
| SHA256 | 8c6bc965ec2ca1a84ba2781ea049bb9b21fedd9d27e7a363e26d53ecb1abb1f4 |
| SHA512 | b5e7bffdbd5e844e83a0cc2ce4caaa33902c75ff68c938b914424b5f361789272ba191e6bd263891bed4ee6a5cd9450bef8fba0b09a99c25a2474f17fdf147f4 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.init_setting.ini
| MD5 | 3a3009d863ba303572102ca4215af083 |
| SHA1 | b42e344a0f0f0adefe2e4e951e703d85929ac399 |
| SHA256 | 61131ef61676070346adc61e143348fc8d6b8597305865345f5c104c2a79b14e |
| SHA512 | db65b389ae9c0774d5d5725ad2dea1faf987198995d658af93af54f06376683a4393f71d2707132312a1ab286bd3535f484efe0f2ba2b98200e9afb546148dd8 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRSocketCtrl.dll
| MD5 | 0abd0b462f8e07c20af3719bc672a71c |
| SHA1 | 9bac3e016617fb3034e7b24080f200acc337ad17 |
| SHA256 | 3aeae10915f253166fb4ebf11993ea7e2bccd2583979870633d8db13b3005b7f |
| SHA512 | 83063c919b8c6816fdac1c2593eb6e998f996ce1487ebf06f51fa5219d127aa966eb3d1d365d1c7a5369d99d042900c60465aa9d6515a7aef06a2bc70c7eed29 |
memory/620-238-0x0000000073840000-0x000000007393D000-memory.dmp
memory/620-241-0x00000000736E0000-0x00000000737FC000-memory.dmp
memory/620-244-0x0000000073010000-0x00000000733D4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.config.json
| MD5 | 0fc9317cc6646f22cd2c7f0e199d9545 |
| SHA1 | eaa78dd9b130958180e76d6d089a9e00bca27694 |
| SHA256 | 612ebe67185a4385e53a8e965782b22bb60c8ce485092c71e9bec748cd8c4258 |
| SHA512 | 6fe66730c5b040c95931bf6618a84095131dd550d4a0cf74cd64bd4025e0c5b9e4c59c686b54c386f319ca5a12ae4d2820f62838e649d3a1557006aacb6d3aad |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.splashtop.sostheme
| MD5 | 6a054bcf49a9e9f921bccd287e88a648 |
| SHA1 | 4f776f06d2b7683c03ebac58ea4ba2cc9d928ed5 |
| SHA256 | de48033ef74945b4496d42017450de46d7fddc5f63c80324cda096f648f12edf |
| SHA512 | fac5d10583d6d6cb947a8285abfec7505d5598a3f1eb8465214d77e3d3f41f07ff7244a479a91ca894ec765912dd347ab724c8eaa8c823e62a0a8824d3901b2a |
\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe
| MD5 | d8e1c8358050a62961004beb6d598ec8 |
| SHA1 | 1c1bc7c986c445d3c9e77b8efac621cb7b2b569c |
| SHA256 | 603193ec2b0e96ec483c8eaa92a517b8f685fb72875d2c5bd7c79fb0e5d7c38c |
| SHA512 | cfbc2dde98458831e83e9dcf3ded621a3e1b26f73bac3a743f71923373429e993b9af2e5e1c8b9602e68741a8dc7f0ddea62add1f1a3d5a12b0269ea8c5d55fd |
\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
| MD5 | fb8af7753cb2a3583d8e5372e295f04d |
| SHA1 | f232d9b86386399a5cf43a4e3247c22ef18b85c6 |
| SHA256 | bbc7e13444052825b3ae254c0f4e18660df1a954840a68e37eb70a9e37acf461 |
| SHA512 | 8a5e8a2e91f4ab94596fa0f57a5d9b61f9e15b8127e84692eedff9e09ab1bc9d2611bc58fca70635ceb2f4b1bffc2c0f0431f61bfbecadfc0dfca7fda0aa5923 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe
| MD5 | 13b2d865ec33421538e2466300e6cfc2 |
| SHA1 | d850b3621d8354270a548c2e55fc06379d49ea2c |
| SHA256 | 6761e45fa371e19dd77f1ab8cc715a93fa6221031d2b9424cda403728aa41ccb |
| SHA512 | 4bdc9eeb71d61ca3db71797a7d923fe9031ef2404cb3a88d41bdc3b2d80d080088cd49b14de2842d0e0593a52e3a9bb9d72e46268745ea7737de789a5c9edc3c |
\Users\Admin\AppData\Local\Temp\unpacksos\1\swresample-2.dll
| MD5 | 4a2f597c15ad595cfd83f8a34a0ab07a |
| SHA1 | 7f6481be6ddd959adde53251fa7e9283a01f0962 |
| SHA256 | 5e756f0f1164b7519d2269aa85e43b435b5c7b92e65ed84e6051e75502f31804 |
| SHA512 | 0e868ad546a6081de76b4a5cdcc7d457b2f0fb7239dc676c17c46a988a02696b12a9c3a85f627c76e6524f9a3ed25f2d9b8e8764d7e18fc708ead4475591946f |
\Users\Admin\AppData\Local\Temp\unpacksos\1\avutil-55.dll
| MD5 | a9a9d31764b50858a01b1fb228406f06 |
| SHA1 | 7a313c46f049287045992f54f9d6eda9db568ef8 |
| SHA256 | c0babd7670124bb298d3ba6a8ee5ae33ad1030c08a18d8b8861f5d83003eb645 |
| SHA512 | 164d5497aa91a5b4742a291f589400bc0b189af946615a2f04e6cfd1ed598a542f7521e4dd79aab99414846a3c391255309f911c247ef446a0483d9fab6efdfc |
memory/2108-269-0x0000000073010000-0x00000000733D4000-memory.dmp
memory/2108-268-0x0000000073840000-0x000000007393D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\splashtop\sos\01_sysinfo.txt
| MD5 | af2a6d027d817ed6624ac7d46b969366 |
| SHA1 | 4ae3c7533267a12c94fa9de938b8aa36df53f754 |
| SHA256 | cfefcfdbbd4b27f344ea91c7e8d57afddf857f766d017ea3e3b3f9cda0322851 |
| SHA512 | 82495dff63952535ac2b0055806c84ef973f142107c1c225ab6dc73d08533ce7b8e2eb228380f44cc072792a0346edff72a65690a87815be580a0b24cdc3834e |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe
| MD5 | e6066e9e4aa21333b30fe304ea32d40a |
| SHA1 | 568ae6207f94314590c768d47346231e5118239c |
| SHA256 | 0a0b3845d467f3f9abce841a93dda696fe80cd261242cce863d3c6abd92f01cf |
| SHA512 | fdf2f9a348d0b7f38857b87b8c5d0101a57bb4695c17ad8864f92266522879df2d3e6bfc90b2885b8ecc0dd76e317581232b3711611c6ae340b2260749731598 |
memory/620-307-0x00000000736E0000-0x00000000737FC000-memory.dmp
memory/620-308-0x0000000073010000-0x00000000733D4000-memory.dmp
memory/620-306-0x0000000073840000-0x000000007393D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\db\SRAgent.sqlite3
| MD5 | af3eb83ac4a73ee01aa747872ec09717 |
| SHA1 | 59e66cf1d974b5108f2ad169dece57cddfa6878c |
| SHA256 | 454949d6d9d626d16efaec3b97ba434b5c9a1f0e712afbb0e51ea2e39b4cf356 |
| SHA512 | ac9952905712d6c3546b2f0d953426fa2aec2311abadab44495f5196f873c4460fa21d0797c113621f7e1a3d669017d49a9bef45234025c5b2b9ef664fec390b |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\default.ico
| MD5 | 8cfee57ebb5f1d41a1d293f0786bbad1 |
| SHA1 | 02f6c748b94b49cb443b7f7b4e3e1e80e5d394a5 |
| SHA256 | 9fd14605fe06d445b118f401e0556bd6783b9ad30010a932c83f0727df3198b3 |
| SHA512 | c271ac4b08eb10e43f7cad2e402bde1a1664506d1586b9c4835a221c11c32153e6ed8edd4782508c91bc651308fc85aab8d2bc7c33a013e55c1e734057d25d37 |
C:\Windows\Temp\bd2_request_12646d835d4c4ea.bat
| MD5 | a29bba44ad15b3c4af98a2a6f225362e |
| SHA1 | 5c832bf5791af55188249ecfc73e59dca12079c5 |
| SHA256 | 835fe6050520b6b2c9914570b6195cc87284de00801f5e8e414ea57e4f50543c |
| SHA512 | e6b8195a66e5c2129d8f8dea347950f41f667187109dbf3d7fcf16e5e308efcc669d3a5ea38b47e65f34ff6e9ff7a5bf3513037b62418ab62201b1ece7dd1aef |
memory/2108-334-0x0000000073840000-0x000000007393D000-memory.dmp
memory/2108-335-0x00000000736E0000-0x00000000737FC000-memory.dmp
memory/2108-336-0x0000000073010000-0x00000000733D4000-memory.dmp
C:\Windows\Temp\TarE90D.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
\Users\Admin\AppData\Local\Temp\unpacksos\1\libcurl.dll
| MD5 | 278d7f9c9a7526f35e1774cca0059c36 |
| SHA1 | 423f1ebd3cbd52046a16538d6baa17076610cb2f |
| SHA256 | 12177dae5e123526e96023a48752ae0cb47e9f6eeafc20960f5a95ca6052d1b8 |
| SHA512 | 75f8c4856fb04b2d5e491f32584f0aaefa0d42356e12320cbcb67df48e59c7f644512c2c5146fd7791c2ccb770fd709a8d8e4c72eafb74c39e1336accb49a044 |
memory/620-365-0x0000000073840000-0x000000007393D000-memory.dmp
memory/620-367-0x0000000073010000-0x00000000733D4000-memory.dmp
memory/620-371-0x0000000072910000-0x00000000729F9000-memory.dmp
memory/620-370-0x00000000736E0000-0x00000000737FC000-memory.dmp
memory/620-369-0x0000000073840000-0x000000007393D000-memory.dmp
memory/620-366-0x00000000736E0000-0x00000000737FC000-memory.dmp
memory/620-379-0x0000000073010000-0x00000000733D4000-memory.dmp
memory/620-380-0x0000000073840000-0x000000007393D000-memory.dmp
memory/620-381-0x00000000736E0000-0x00000000737FC000-memory.dmp
memory/620-384-0x00000000727D0000-0x00000000728B9000-memory.dmp
memory/620-392-0x00000000726E0000-0x00000000727C9000-memory.dmp
memory/2108-393-0x0000000073840000-0x000000007393D000-memory.dmp
memory/2108-395-0x0000000073010000-0x00000000733D4000-memory.dmp
memory/2108-394-0x00000000736E0000-0x00000000737FC000-memory.dmp
memory/620-406-0x00000000726E0000-0x00000000727C9000-memory.dmp
memory/620-416-0x0000000073840000-0x000000007393D000-memory.dmp
memory/620-418-0x0000000073010000-0x00000000733D4000-memory.dmp
memory/620-417-0x00000000736E0000-0x00000000737FC000-memory.dmp
memory/2108-425-0x0000000073840000-0x000000007393D000-memory.dmp
memory/2108-427-0x0000000073010000-0x00000000733D4000-memory.dmp
memory/2108-426-0x00000000736E0000-0x00000000737FC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-28 00:38
Reported
2024-05-28 00:41
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
128s
Command Line
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks installed software on the system
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\LOGS\DPX\setupact.log | C:\Windows\system32\expand.exe | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setuperr.log | C:\Windows\system32\expand.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-28_59b7867b993f6a66891271a43964ee3c_icedid.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c C:\Windows\system32\expand.exe *.cab /f:* .\
C:\Windows\system32\expand.exe
C:\Windows\system32\expand.exe *.cab /f:* .\
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1
C:\Windows\system32\schtasks.exe
schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "
C:\Windows\system32\schtasks.exe
schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c schtasks /run /tn ASOS1
C:\Windows\system32\schtasks.exe
schtasks /run /tn ASOS1
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe SRManagerSOS.exe 1
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c schtasks /delete /f /tn ASOS1
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn ASOS1
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
"SRManagerSOS.exe"
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe
SRServerSOS.exe -s
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
"C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe"
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe
"C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe"
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe
"C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe"
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe
SRUtilitySOS.exe -r
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Temp\bd2_request_132ddaa2722b5b8.bat
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c chcp 65001&&powershell.exe -Command "$Session = New-Object -ComObject Microsoft.Update.Session;$Searcher = $Session.CreateUpdateSearcher();$Res = $Searcher.search(\"IsInstalled = 0 And DeploymentAction=*\");$array = @();foreach($update in $Res.Updates) {$line = \"\" | select kbid, title, desc, updateId, category, severity, important, eulaAccepted, maxSize, minSize, type, releaseDate, rebootRequired;$line.title = $update.Title;$line.desc = $update.Description;$line.updateId = $update.Identity.UpdateID;$line.category = \"\";foreach($category in $update.Categories) { $line.category += \"$($category.CategoryID),\" };$line.kbid = $update.KBArticleIDs -join ' ';$line.severity = $update.MsrcSeverity;$line.important = $update.AutoSelectOnWebSites;$line.eulaAccepted = $update.EulaAccepted;$line.maxSize = $update.MaxDownloadSize;$line.minSize = $update.MinDownloadSize;$line.type = $update.Type;$line.releaseDate = $update.LastDeploymentChangeTime.toString(\"yyyy:MM:dd hh:mm:ss\");$line.rebootRequired = $update.RebootRequired;$array += $line;};ConvertTo-Json $array;"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "$Session = New-Object -ComObject Microsoft.Update.Session;$Searcher = $Session.CreateUpdateSearcher();$Res = $Searcher.search(\"IsInstalled = 0 And DeploymentAction=*\");$array = @();foreach($update in $Res.Updates) {$line = \"\" | select kbid, title, desc, updateId, category, severity, important, eulaAccepted, maxSize, minSize, type, releaseDate, rebootRequired;$line.title = $update.Title;$line.desc = $update.Description;$line.updateId = $update.Identity.UpdateID;$line.category = \"\";foreach($category in $update.Categories) { $line.category += \"$($category.CategoryID),\" };$line.kbid = $update.KBArticleIDs -join ' ';$line.severity = $update.MsrcSeverity;$line.important = $update.AutoSelectOnWebSites;$line.eulaAccepted = $update.EulaAccepted;$line.maxSize = $update.MaxDownloadSize;$line.minSize = $update.MinDownloadSize;$line.type = $update.Type;$line.releaseDate = $update.LastDeploymentChangeTime.toString(\"yyyy:MM:dd hh:mm:ss\");$line.rebootRequired = $update.RebootRequired;$array += $line;};ConvertTo-Json $array;"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | st-lookup-v1-sos-srs-win-3700-g3.api.splashtop.com | udp |
| US | 76.223.35.50:443 | st-lookup-v1-sos-srs-win-3700-g3.api.splashtop.com | tcp |
| US | 8.8.8.8:53 | 50.35.223.76.in-addr.arpa | udp |
| US | 8.8.8.8:53 | st-v3-sos-srs-win-3700-g3.api.splashtop.com | udp |
| US | 35.71.175.14:443 | st-v3-sos-srs-win-3700-g3.api.splashtop.com | tcp |
| US | 35.71.175.14:443 | st-v3-sos-srs-win-3700-g3.api.splashtop.com | tcp |
| US | 8.8.8.8:53 | 14.175.71.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fe2cr.update.microsoft.com | udp |
| US | 52.152.180.153:443 | fe2cr.update.microsoft.com | tcp |
| US | 35.71.175.14:443 | st-v3-sos-srs-win-3700-g3.api.splashtop.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | st-relay-v3-sos-srs-win-3700-g3.api.splashtop.com | udp |
| US | 15.197.245.222:443 | st-relay-v3-sos-srs-win-3700-g3.api.splashtop.com | tcp |
| US | 8.8.8.8:53 | download.windowsupdate.com | udp |
| BE | 23.14.90.91:80 | download.windowsupdate.com | tcp |
| US | 8.8.8.8:53 | 153.180.152.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 222.245.197.15.in-addr.arpa | udp |
| US | 35.71.175.14:443 | st-v3-sos-srs-win-3700-g3.api.splashtop.com | tcp |
| US | 8.8.8.8:53 | 132-145-25-233.relay.splashtop.com | udp |
| GB | 132.145.25.233:443 | 132-145-25-233.relay.splashtop.com | tcp |
| US | 8.8.8.8:53 | 233.25.145.132.in-addr.arpa | udp |
| US | 35.71.175.14:443 | st-v3-sos-srs-win-3700-g3.api.splashtop.com | tcp |
| US | 8.8.8.8:53 | 140-238-79-99.relay.splashtop.com | udp |
| US | 8.8.8.8:53 | 3-252-149-178.relay.splashtop.com | udp |
| US | 8.8.8.8:53 | 129-151-93-178.relay.splashtop.com | udp |
| US | 35.71.175.14:443 | st-v3-sos-srs-win-3700-g3.api.splashtop.com | tcp |
| IE | 3.252.149.178:443 | 3-252-149-178.relay.splashtop.com | tcp |
| GB | 129.151.93.178:443 | 129-151-93-178.relay.splashtop.com | tcp |
| GB | 140.238.79.99:443 | 140-238-79-99.relay.splashtop.com | tcp |
| US | 8.8.8.8:53 | 178.93.151.129.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.79.238.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.149.252.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| GB | 140.238.79.99:443 | 140-238-79-99.relay.splashtop.com | tcp |
| IE | 3.252.149.178:443 | 3-252-149-178.relay.splashtop.com | tcp |
| GB | 129.151.93.178:443 | 129-151-93-178.relay.splashtop.com | tcp |
| IE | 3.252.149.178:443 | 3-252-149-178.relay.splashtop.com | tcp |
| GB | 129.151.93.178:443 | 129-151-93-178.relay.splashtop.com | tcp |
| GB | 140.238.79.99:443 | 140-238-79-99.relay.splashtop.com | tcp |
| US | 8.8.8.8:53 | 96.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\unpack1.log
| MD5 | e52e2978c7f6994651ec1cc927e78832 |
| SHA1 | 8cb2c57e2ae5280e545715e701d47d8fbd4acdf4 |
| SHA256 | b7b79688818171b3586992513d57f13d657a5a93f4f6615121089bed564b7d5f |
| SHA512 | 898d3bd468d6604060934c8b93f9e8f065b09ffd8eb76b23bd5638f0b523ed863ae817bb3e9ddcd9aaebabf989904b9f2a752ccbceed43629b187885f167cb4a |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\streamer1.cab
| MD5 | ee7c1fa035cac997ff78b2a8d77b19c3 |
| SHA1 | 9ed41bd57a4af443ed246693da7b66a96c181cb3 |
| SHA256 | ad125dfb7cea109cd265c27e70db7c1fd334b491d3e6c261caf9416c37e117af |
| SHA512 | ef9eac2b09b130993561975a96a7941710ab4781271ce5e9618f085c283df8988f83f05070100251f36660b172853b96bff2c5bd65817686d3476e4fc2217f84 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRClient.pem
| MD5 | a8b2b3d6c831f120ce624cff48156558 |
| SHA1 | 202db3bd86f48c2a8779d079716b8cc5363edece |
| SHA256 | 33fe8889070b91c3c2e234db8494fcc174ecc69cfff3d0bc4f6a59b39c500484 |
| SHA512 | 3b1fc8910b462ea2e3080418428795ca63075163e1e42a7136fa688aa2e130f5d3088ab27d18395c8c0a4d76bdc5ed95356255b8c29d49116e4743d269c97bf9 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\ASOS.xml
| MD5 | 8ce869f7dbbb2e38c8de76716e49b8a5 |
| SHA1 | de73a6b80fca67b06a7e1fec1904095d61b7b864 |
| SHA256 | 1008bce6f93a3863164b0fea34bea07bd6ce304dffafac5615dc52bbb675bd47 |
| SHA512 | 98afa1fe513beb31bca44e56fe40f0a049d3bb0ccc7cf4997b8fb2631774131c7232072e733674a3ed6771201d53788e94d595e8254a5ffc4d6cc45ff93417af |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe
| MD5 | 2def326d4f3ad50a7abb0f20944405fc |
| SHA1 | c99b7a01019992e4180a5a9d67a8f30a5bda46d7 |
| SHA256 | ed259409860bc916cc26af1fcb8de0fb455607dd1056d3e530c29614435c3092 |
| SHA512 | 43bf3d1958d1bb1bbeecfff70ca7309509af2ec346763e92521c128b786ce8c6063a5339693ad129966965d926107eaeddc9de9abd9bf0c2580bd3ec2ab3ceb4 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
| MD5 | c99c8787347caef751fba46a2bc529fc |
| SHA1 | 6c2051fa486b673b9ffd01dae98ae6ec263be390 |
| SHA256 | ad072ff07a42bcd2e09023024ee87a9803373a17e41926f90463a9350877cf20 |
| SHA512 | 99bd7d6589a56ffdb50b498198254fea1333753f179ee042f9dc3d248bb3ff7c3d613353015ad145308d7f67376b85154a725f17ff6b0a513668a23e23caa5a5 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\dbghelp.dll
| MD5 | eeda10135ede6edb5c85df3bd878e557 |
| SHA1 | 8a1059dfd641269945e7a2710b684881bb63e8d2 |
| SHA256 | 4b890de3708716d81c1c719b498734339d417e8ffc4955d81483d1ebc0f84697 |
| SHA512 | a56bfc73537e36efba8e09ffd0b2f6bfc56bc4cb4fe90b52858c7afd5d67db23ccba51c8097befe4ecb5082ba66c2b2612e2975ef3448252c48b97f41d12d591 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe
| MD5 | 3e76e9316ef4786a23fb89f0c2b675ae |
| SHA1 | b97760551fbaf04f95efb41fb5e6223327fac922 |
| SHA256 | a3e723d732b9ba96fb6d639ae3ac38e90e7b8039bd575814c57ca76d0f95a7af |
| SHA512 | 5a78f1cc980c3da7e5f844282c23f724c70ec8ed48ccafb2c39e4fc3f183e4660ff263bc2036f493587142098e180a1ac452ff32036a31ac71729db5a248049d |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\stprinterx.cat
| MD5 | 1d56a3f8d7f5dab184a8cc4feddaa173 |
| SHA1 | 75d291cb96fdc05d54c962f1cb08796ee439b22f |
| SHA256 | 84e1a32b4975e92477cf6a36d8931921da735ef988e0c09a2b056f2904541b1e |
| SHA512 | fb58167a98d9309a703f06d5c6414ab707b37e90a26bfc1c0812b10381c116fa6c7c26ac30fc8570b8f87186775bc64e7af6d409a7d213fc3b4b76b0b7a76fb6 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\stprinter.cat
| MD5 | 2dac6568b843ebdc5c98598ca32918be |
| SHA1 | e7740e4be7f71a82adbb6e5224d33534e237614c |
| SHA256 | eb61a0e06bf8c69597f9bb1909e3eb4f926e49800c3f9721fda3007993da5ee7 |
| SHA512 | 1bc8aa82e68911f5ee1835d19cf49a736c1c35c2f6b4fcd48c3c6fcf7ff6958400d1e815c5e891e172af9035232175bb00e8a21f5a0590f02dc683f45a6c3d8b |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libssl-3.dll
| MD5 | 99a6a9656da926af8aa648d50b47dcfb |
| SHA1 | 81db96003bd8f63250abc7e59fb35e0227d3f28a |
| SHA256 | fdf1f9d0af4ff8e5cbd4387d6849327e91f0eedd1befe58d7dd8b6ec40e90a98 |
| SHA512 | 16e850fdabf76a11ed4176e0fd57dafb64faf9551ea220d003c5a86aff8c39ab40d66f7ac7fcc6ef71cfa7e1d6268bbc23e32aa5cf69df58a5d05f666701f3c0 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libcrypto-3.dll
| MD5 | 72d867e8c7a84374aa72bf7feca4334e |
| SHA1 | bbe4c42beb19a1f23bfbcfc5a67164d5ea29784e |
| SHA256 | 17d29b81faea714b5a93008711d92d1329b22244a2e9f56736064caa4fd3cd84 |
| SHA512 | b523df6ffe4a51180cdf2bda761b01a521391a6b24e081309c33c91835c19be96015b932d527822f5837802a979a3c48f5cc111892c47c082e8bcb8f2115ac3f |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.init_setting.ini
| MD5 | 3a3009d863ba303572102ca4215af083 |
| SHA1 | b42e344a0f0f0adefe2e4e951e703d85929ac399 |
| SHA256 | 61131ef61676070346adc61e143348fc8d6b8597305865345f5c104c2a79b14e |
| SHA512 | db65b389ae9c0774d5d5725ad2dea1faf987198995d658af93af54f06376683a4393f71d2707132312a1ab286bd3535f484efe0f2ba2b98200e9afb546148dd8 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRSocketCtrl.dll
| MD5 | 0abd0b462f8e07c20af3719bc672a71c |
| SHA1 | 9bac3e016617fb3034e7b24080f200acc337ad17 |
| SHA256 | 3aeae10915f253166fb4ebf11993ea7e2bccd2583979870633d8db13b3005b7f |
| SHA512 | 83063c919b8c6816fdac1c2593eb6e998f996ce1487ebf06f51fa5219d127aa966eb3d1d365d1c7a5369d99d042900c60465aa9d6515a7aef06a2bc70c7eed29 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.cloudbuild.check.rsa
| MD5 | 6a279dd3ba7b1beab9f11d67ce728912 |
| SHA1 | 9cb0bcc27500bb10bbc9f7a7f46f4bc6148224e4 |
| SHA256 | aa0552925308308a73a0f4419f463f63eeadb9cf5cf1f5284ca79f1b2a3f2ed7 |
| SHA512 | 17e3c134021d1f29a26fd53b7f662ec849e9a56525766c7e6e2b86bed533039973363558b7e199e013d1ab905391b909bb7f483dd45352c3ac19ab9c3101f0ba |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.cloudbuild.check
| MD5 | 8b46922727397a34cd895953b5a26d4b |
| SHA1 | f1c442d9961ef63b5f7a904f1d138d857420a79b |
| SHA256 | 8c6bc965ec2ca1a84ba2781ea049bb9b21fedd9d27e7a363e26d53ecb1abb1f4 |
| SHA512 | b5e7bffdbd5e844e83a0cc2ce4caaa33902c75ff68c938b914424b5f361789272ba191e6bd263891bed4ee6a5cd9450bef8fba0b09a99c25a2474f17fdf147f4 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.splashtop.sostheme
| MD5 | 6a054bcf49a9e9f921bccd287e88a648 |
| SHA1 | 4f776f06d2b7683c03ebac58ea4ba2cc9d928ed5 |
| SHA256 | de48033ef74945b4496d42017450de46d7fddc5f63c80324cda096f648f12edf |
| SHA512 | fac5d10583d6d6cb947a8285abfec7505d5598a3f1eb8465214d77e3d3f41f07ff7244a479a91ca894ec765912dd347ab724c8eaa8c823e62a0a8824d3901b2a |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.config.json
| MD5 | 0fc9317cc6646f22cd2c7f0e199d9545 |
| SHA1 | eaa78dd9b130958180e76d6d089a9e00bca27694 |
| SHA256 | 612ebe67185a4385e53a8e965782b22bb60c8ce485092c71e9bec748cd8c4258 |
| SHA512 | 6fe66730c5b040c95931bf6618a84095131dd550d4a0cf74cd64bd4025e0c5b9e4c59c686b54c386f319ca5a12ae4d2820f62838e649d3a1557006aacb6d3aad |
memory/2288-220-0x0000000072450000-0x000000007256C000-memory.dmp
memory/2288-219-0x00000000725A0000-0x000000007269D000-memory.dmp
memory/2288-221-0x0000000072080000-0x0000000072444000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe
| MD5 | d8e1c8358050a62961004beb6d598ec8 |
| SHA1 | 1c1bc7c986c445d3c9e77b8efac621cb7b2b569c |
| SHA256 | 603193ec2b0e96ec483c8eaa92a517b8f685fb72875d2c5bd7c79fb0e5d7c38c |
| SHA512 | cfbc2dde98458831e83e9dcf3ded621a3e1b26f73bac3a743f71923373429e993b9af2e5e1c8b9602e68741a8dc7f0ddea62add1f1a3d5a12b0269ea8c5d55fd |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
| MD5 | fb8af7753cb2a3583d8e5372e295f04d |
| SHA1 | f232d9b86386399a5cf43a4e3247c22ef18b85c6 |
| SHA256 | bbc7e13444052825b3ae254c0f4e18660df1a954840a68e37eb70a9e37acf461 |
| SHA512 | 8a5e8a2e91f4ab94596fa0f57a5d9b61f9e15b8127e84692eedff9e09ab1bc9d2611bc58fca70635ceb2f4b1bffc2c0f0431f61bfbecadfc0dfca7fda0aa5923 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\default.ico
| MD5 | 8cfee57ebb5f1d41a1d293f0786bbad1 |
| SHA1 | 02f6c748b94b49cb443b7f7b4e3e1e80e5d394a5 |
| SHA256 | 9fd14605fe06d445b118f401e0556bd6783b9ad30010a932c83f0727df3198b3 |
| SHA512 | c271ac4b08eb10e43f7cad2e402bde1a1664506d1586b9c4835a221c11c32153e6ed8edd4782508c91bc651308fc85aab8d2bc7c33a013e55c1e734057d25d37 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe
| MD5 | 13b2d865ec33421538e2466300e6cfc2 |
| SHA1 | d850b3621d8354270a548c2e55fc06379d49ea2c |
| SHA256 | 6761e45fa371e19dd77f1ab8cc715a93fa6221031d2b9424cda403728aa41ccb |
| SHA512 | 4bdc9eeb71d61ca3db71797a7d923fe9031ef2404cb3a88d41bdc3b2d80d080088cd49b14de2842d0e0593a52e3a9bb9d72e46268745ea7737de789a5c9edc3c |
memory/2244-240-0x00000000725A0000-0x000000007269D000-memory.dmp
memory/2244-243-0x0000000072450000-0x000000007256C000-memory.dmp
memory/2244-246-0x0000000072080000-0x0000000072444000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\swresample-2.dll
| MD5 | 4a2f597c15ad595cfd83f8a34a0ab07a |
| SHA1 | 7f6481be6ddd959adde53251fa7e9283a01f0962 |
| SHA256 | 5e756f0f1164b7519d2269aa85e43b435b5c7b92e65ed84e6051e75502f31804 |
| SHA512 | 0e868ad546a6081de76b4a5cdcc7d457b2f0fb7239dc676c17c46a988a02696b12a9c3a85f627c76e6524f9a3ed25f2d9b8e8764d7e18fc708ead4475591946f |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\avutil-55.dll
| MD5 | a9a9d31764b50858a01b1fb228406f06 |
| SHA1 | 7a313c46f049287045992f54f9d6eda9db568ef8 |
| SHA256 | c0babd7670124bb298d3ba6a8ee5ae33ad1030c08a18d8b8861f5d83003eb645 |
| SHA512 | 164d5497aa91a5b4742a291f589400bc0b189af946615a2f04e6cfd1ed598a542f7521e4dd79aab99414846a3c391255309f911c247ef446a0483d9fab6efdfc |
C:\Users\Admin\AppData\Local\Temp\splashtop\sos\01_sysinfo.txt
| MD5 | 99b92e1dc84395538123964651e62043 |
| SHA1 | 65192b0f256659a0a73618cba9b044c561af1a02 |
| SHA256 | 0737025295e9a0680447f4d571cb5601e85662b47bef78e7991a1ad4af7164c9 |
| SHA512 | 28bf0f1cfe4014f55d1e6e703d43516db77e99ac1f6d5ee7ec811c925dc953f73b445582df7337e1f9c7fc648efdac38c91abe2f9db271e10f43d3afe5223d1e |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe
| MD5 | e6066e9e4aa21333b30fe304ea32d40a |
| SHA1 | 568ae6207f94314590c768d47346231e5118239c |
| SHA256 | 0a0b3845d467f3f9abce841a93dda696fe80cd261242cce863d3c6abd92f01cf |
| SHA512 | fdf2f9a348d0b7f38857b87b8c5d0101a57bb4695c17ad8864f92266522879df2d3e6bfc90b2885b8ecc0dd76e317581232b3711611c6ae340b2260749731598 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\db\SRAgent.sqlite3
| MD5 | 4a404aab1a1a186a733e7fc007a1f51a |
| SHA1 | b041441e86cc70942c8ce9af3b30bb9af6d2eca4 |
| SHA256 | 33164e94be4227d974959199486c9a07ba79a32aade14faed20a9b20da590381 |
| SHA512 | a0d10fc717c161865eb7abb12ad6c468f9359011b3b1b30c9f86f75187f0b166ab372b31a1d1ae12a34c0ce7a64125df21acc297e44a3c416e69d79b85b7b2b6 |
C:\Windows\Temp\bd2_request_132ddaa2722b5b8.bat
| MD5 | 81cc068c9b8f5c7df7f2467fe5d67a58 |
| SHA1 | 0eca247e416199cfc36d5b4b7f816e950561aded |
| SHA256 | 1c473fe685e6d8912087ec042e48c0a8f03679519f697271bd9a92ede138e225 |
| SHA512 | 0f1839f1a69c4bc9136d6167e577dd6ad0616b13158a45e82c53f9f2f9cfd1e7caa390ab77aba03fb2219a95b3e2ac25a2d021557a2cee061f081499a09d5f0c |
memory/3756-310-0x00000000029C0000-0x00000000029F6000-memory.dmp
memory/3756-311-0x0000000005090000-0x00000000056B8000-memory.dmp
memory/3756-314-0x0000000004FF0000-0x0000000005012000-memory.dmp
memory/3756-315-0x00000000058F0000-0x0000000005956000-memory.dmp
memory/3756-316-0x0000000005960000-0x00000000059C6000-memory.dmp
C:\Windows\Temp\__PSScriptPolicyTest_uh34vqk1.se5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3756-326-0x00000000059D0000-0x0000000005D24000-memory.dmp
memory/3756-327-0x0000000005FB0000-0x0000000005FCE000-memory.dmp
memory/3756-328-0x0000000005FD0000-0x000000000601C000-memory.dmp
memory/3756-330-0x00000000078F0000-0x0000000007F6A000-memory.dmp
memory/3756-331-0x00000000064D0000-0x00000000064EA000-memory.dmp
memory/2288-334-0x0000000072450000-0x000000007256C000-memory.dmp
memory/2288-333-0x00000000725A0000-0x000000007269D000-memory.dmp
memory/2288-335-0x0000000072080000-0x0000000072444000-memory.dmp
memory/2244-338-0x00000000725A0000-0x000000007269D000-memory.dmp
memory/2244-340-0x0000000072080000-0x0000000072444000-memory.dmp
memory/2244-339-0x0000000072450000-0x000000007256C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SROpus.dll
| MD5 | 7c3b0175c350e6aea7c5f4f331fb7457 |
| SHA1 | 46fe50380b66c64a98b08017dc0d8566d9b22847 |
| SHA256 | a83cdfc6addac319e9cf2f950958db790ca430f96d900b5205828ebe9b2829a8 |
| SHA512 | 4b3972eb174ae834b39f34d51d19aca9eace14cacc54d0314dfbde8b38c2a0514e81b5861bee9cf8465313f6b98db31b0c2d314b052cc8f5cdf58c7af7e61aac |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOSNoUIA.exe
| MD5 | b591229685ad17957bb2a159c2a4b78b |
| SHA1 | 42f0f661f7339f879311c48d687a5ad8b562a220 |
| SHA256 | 4c241f9525bbf33f48771c647a56ffe1b3749ec81942044db25a08b0c400cffb |
| SHA512 | f80594e3741e12cb0fcadc2ab04ef019338f68b9f60771d51d05b406ff16314a041643044067cd846050b62c8642fde252c7c88e7df3641e200d4ff8aad2cc0c |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRChatSOS.exe
| MD5 | 549032ab1dabfe314669a9ff425ee57a |
| SHA1 | 37f881e80e7424732c630f50b49461a5297e9081 |
| SHA256 | aab91021230e5786711b1b862d0c41c3c48c9079ba143cb4bd4f6a49e99fa0e8 |
| SHA512 | 83720e5698a8df49518d9281af33c4b67f14a04c01dcc2c1bef10deb4d4360942199a2451ee784df562c9f557f9080772c7c259d7377dd33b7f38e87ceebafc6 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAudioResample.dll
| MD5 | 69dc934d7754b48537b81ae7b59c07c8 |
| SHA1 | bd1325d4c0047da750caffb7dc6d49ede912ac4a |
| SHA256 | 72945a21013d192a36c7c339e52e7e7341a6c99f36d67ebdffa360874063defe |
| SHA512 | aa8140c29748ed7ab46050b49beee9a0f46ab08ae9fc2461631c06ab005d57c50ad1b3409643d11f69a671c1891a94550cce80407cd2e58a2d053d2c3cd7cbe1 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAudioChatSOS.exe
| MD5 | fa0ed79ba4dc1468e9cfee937fea11f2 |
| SHA1 | 180786db516284c60070eba4f14159316eacce1c |
| SHA256 | a83172a8bbb9317b945154cc6ec66440ded7a181998359711bd08023870f76a4 |
| SHA512 | 19c18f7c3db7b4683c5ba999e21d95975ea40622d98b3b20a7d5f9c4e9d38426d6db0df365c4e9fefb04f7e3365cf57c4b328b4d714dae5baea9a1c14024baf9 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppSOS.exe
| MD5 | b08752b3b3192966d5808864899f782a |
| SHA1 | 3e5609d69b49932f5e34dd297276b5b5dd79ba42 |
| SHA256 | e15048013473076c144d4326fa5bccd8abaf6479a33bf8cfdea2ab0cf4b01a0c |
| SHA512 | 2c57c66f50dfa77456f70f07aa235964fd71925c149f2b0baaa2933a7b75c53fc4c09e9703c094357a4562eb89e358f2730d58f686758a7b27d39e27f1076722 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\reboot.bat
| MD5 | abe8e3568b6d951e7dd395da46531932 |
| SHA1 | 304d81c1b48e16533ef691a9c965818136b9583c |
| SHA256 | eb700422c31c15757a6c70141274a184d291aac3bde191a964f75a90bc084143 |
| SHA512 | 19a79d90883103302bddbac8a765c6a5196fb78c223d911633285b4ba44ebffa9c64690102498e3bef5991dba0f28847473a44d4f9aa7d637a4c4d3f1efea12e |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\QuicServer.key
| MD5 | af1e2edc77bcb6492fdd5beb390b6abe |
| SHA1 | 0f6b7c8876a578cd5361bcc477869528a7b38a3e |
| SHA256 | f574628bf3b3c81c75ea9351d50b5c474770b65eaaa5e16d0452863a16f4486a |
| SHA512 | b56bd491fe24134d5a1612e41e84ac064df722efcb9598f115dafc631889ce8ff4e6f3b9aef13b70b349e7e398874eeb955c9af045d968b31b2de0fe1806ab2c |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\QuicServer.cert
| MD5 | 3ad94236a2d87443f211c0c8c917af9f |
| SHA1 | c9c9fd2a800075d3313b962db35d978cc485a3d0 |
| SHA256 | a7cfacf48d677de09e155204bc5a6b310b06a0bfc8b02c6ae6e916fec3addde6 |
| SHA512 | 9c549ea6a62d7ee4115944c8beb18631e7a313a630460777b6a32df2c9725a018562386183b3e0d85755ff95c5e2dbfaeecaf2744b0ccb0dbe4e2c5b314c610f |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\p_unmount.bat
| MD5 | fa3c191799254e542687f1f5d0974bc5 |
| SHA1 | dc85aac2aa31cd3de9017e7e099581457ad4fbf2 |
| SHA256 | 347b12e6e2fc79e2a3668625341d7642d531159ffe5b01ab2bc5469e0efc6b3f |
| SHA512 | 635689814e63084910541ba68fe8ade8fdfbc3d0100afd61ddd13d07e61f3478ba75e4d24aa7b26df21a3e46c4ed2b1c8789520c5634cac63cfe32dcb1e8686e |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\p_mount.bat
| MD5 | 88e59700f53de95d2847b9687764be30 |
| SHA1 | cd5780dbf1c711b9c28dc001f4149ba3251becf7 |
| SHA256 | b085f4e0d6a7a4dc967c96d7c318cb749bc497135fd9e35d7ad0c88e6c53f577 |
| SHA512 | 6e7d2fd4cf87b63bab39e225362ecbe60f52fab0da42c97834b8ea59d653cdbd06b98e2c490c5465b1999af2f7869f729cbfc34e55d5ecc768d85d48b9874374 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libx264-116.dll
| MD5 | 8e6ec55a95198bfcce99b73bfe02382e |
| SHA1 | 7fc7987cd20030152739549400f1704fe998b36a |
| SHA256 | f89f364ef61da19971e6bd83fe52c8c25c9c8aa60c80acb5b69d2995d5de56d6 |
| SHA512 | efe60eb429d8f70d80300a067c119c69419ad6aedb0ea787f91b241dac3d7e863734a6245bb8b88f2bf327ae173c1453b104a6e9e15901ee74a17c6a148d10d3 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libcurl.dll
| MD5 | 278d7f9c9a7526f35e1774cca0059c36 |
| SHA1 | 423f1ebd3cbd52046a16538d6baa17076610cb2f |
| SHA256 | 12177dae5e123526e96023a48752ae0cb47e9f6eeafc20960f5a95ca6052d1b8 |
| SHA512 | 75f8c4856fb04b2d5e491f32584f0aaefa0d42356e12320cbcb67df48e59c7f644512c2c5146fd7791c2ccb770fd709a8d8e4c72eafb74c39e1336accb49a044 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libcelt-0.dll
| MD5 | d67c971bfe675aada6ad8368e6148b88 |
| SHA1 | 11500abbb177b4f88d7005731b541e131ddf21e8 |
| SHA256 | 1fe6438ff3bd14994366f17d902a86a574ed15c4fa8eeb8181f2bb0597778fa7 |
| SHA512 | 16b8bc0071aae9a1f20720109d81a8ede52c677c5d3bf77ec18a77a301ec1e8d3fc7a826e094d4a601810245cb985e36ac207af8ad5c9bfd541b2d4e3f667825 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\legacy.dll
| MD5 | cf52dbefbe8bc2dcd493cdbf050048e1 |
| SHA1 | aed132b049c77fd77645d07b443e1b4e96cb5e51 |
| SHA256 | 8080e398edc43e652c0a104f62ad3c865e9bdc75c2e3936870deaf43fedbc3a4 |
| SHA512 | 75133444a893002b9933eb3a44b66cd862fedc9c05579b188eb250bbc3cc00c61533fb3aa58a1d9b89b45f83cff8a3b02cb0fb605b299e0e7bace13b99020207 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\legacy.cnf
| MD5 | a43b7d72b482d48804b377d8832c2693 |
| SHA1 | b1598efda8e9863f520abef9aaa942c313c002fd |
| SHA256 | 9acde3809e2c02fe5d6c59153aefffe6628996ec5cfb7c2385865dcd1ec8be7e |
| SHA512 | f0777a8f79e70f8a12f531c3e77f5241e9ed46acc6a1cbf06ff7a29d91ee281e4cd2a9c1832642992fe74d33b052670f85439e5925fdb7c44de60014e53712da |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\fips.dll
| MD5 | 68d8d459ee6a5027ffe35302b21d66fa |
| SHA1 | 91299e1ff75b293a18105fbdfcb2cde92a6c8507 |
| SHA256 | 0ef5739fcc3850411e1db6af2e194e25c7e473bb950a387a7c851fe02660b4e8 |
| SHA512 | c032e6c057da58374ff51b50b2146e4b27eb6a18a452668eb2c78e3f4e729399f303873a2dc40f5910826a4f23146dfb851b62df3d5948a9039ec6ed23e53b32 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\fips.cnf
| MD5 | e077993e994d28bbc7502681280c5551 |
| SHA1 | 9c3b360f9e81ccf8c8b56be25e4ce9d67d1f61b4 |
| SHA256 | b8d539255fb1ea42ee3b06f0e314b037e35701e2b258272889d866dd3419526b |
| SHA512 | b2fed3539bd94999f9f9a2cfebac6a3632212c10f3d97a5129e444fc548d1685877d0810790b71d342a4ef9080d1efc73bf7a9493b5ccbd93232231ee2251abe |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Acknowledgements.htm
| MD5 | ab3d7c0401590bbdaf4b3c84592d24d6 |
| SHA1 | 756f86b49ca2035638f77bbeb60cfe6a827b553e |
| SHA256 | 4428a8b3f1a63312918ff5f8e1d5ee1f6eeba9d73a336721338d494d2b6e5f6c |
| SHA512 | 24aac8d02347ef3e226531ca15b71714cb53546c7aa1b4d961a72e097c3528ae2590b00ecbaa7e80815e99fafb6919d234e957dfcd08467cd753b24c004b6124 |
memory/2288-369-0x00000000725A0000-0x000000007269D000-memory.dmp
memory/3756-371-0x0000000006F90000-0x0000000006FA8000-memory.dmp
memory/2288-372-0x0000000072080000-0x0000000072444000-memory.dmp
memory/3756-373-0x0000000007600000-0x00000000077C2000-memory.dmp
memory/2288-370-0x0000000072450000-0x000000007256C000-memory.dmp
memory/3756-374-0x000000000A2E0000-0x000000000A80C000-memory.dmp