c108a54cfb054925fcabc45f4c28fcb7610a90807fd1e8529984cbb3c974e8df

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe
Size

16.7MB
MD5

ad794fb9c600e13a73f10cceefacd9c7
SHA1

3f26498de7a045e10ebcd6f116801227f0c83e9c
SHA256

c108a54cfb054925fcabc45f4c28fcb7610a90807fd1e8529984cbb3c974e8df
SHA512

9c8a2946dbefb46fd36b3873a40e90c0ae97b11f35708c3d9ad04244324d2152dea4fe09e4bcffe2f49c492c304e9f5a91edc069ec3d8b21819656561a412a2b
SSDEEP

393216:hNRBOCdgiOLeCBMkDuW0PcYpeaKm8BpHalvjFenD:nRBbdg3SyecweaKm8B4vj+D

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000500000001a48d-168.dat	acprotect
behavioral1/files/0x000500000001a48b-205.dat	acprotect
behavioral1/files/0x000500000001ad39-206.dat	acprotect
behavioral1/files/0x000500000001a491-344.dat	acprotect

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT	SRAppPBSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT	SRAppPBSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651	SRManagerSOS.exe

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001a48d-168.dat	upx
behavioral1/files/0x000500000001a48b-205.dat	upx
behavioral1/files/0x000500000001ad39-206.dat	upx
behavioral1/memory/1472-208-0x00000000742B0000-0x00000000743AD000-memory.dmp	upx
behavioral1/memory/1472-212-0x0000000073B50000-0x0000000073F14000-memory.dmp	upx
behavioral1/memory/1472-211-0x0000000074150000-0x000000007426C000-memory.dmp	upx
behavioral1/memory/2448-230-0x0000000073B50000-0x0000000073F14000-memory.dmp	upx
behavioral1/memory/2448-229-0x0000000074150000-0x000000007426C000-memory.dmp	upx
behavioral1/memory/1472-278-0x00000000742B0000-0x00000000743AD000-memory.dmp	upx
behavioral1/memory/1472-279-0x0000000074150000-0x000000007426C000-memory.dmp	upx
behavioral1/memory/1472-296-0x0000000074150000-0x000000007426C000-memory.dmp	upx
behavioral1/memory/1472-298-0x0000000073B50000-0x0000000073F14000-memory.dmp	upx
behavioral1/memory/1472-297-0x0000000073B50000-0x0000000073F14000-memory.dmp	upx
behavioral1/memory/1472-295-0x00000000742B0000-0x00000000743AD000-memory.dmp	upx
behavioral1/memory/2448-338-0x00000000742B0000-0x00000000743AD000-memory.dmp	upx
behavioral1/memory/2448-339-0x0000000074150000-0x000000007426C000-memory.dmp	upx
behavioral1/memory/2448-340-0x0000000073B50000-0x0000000073F14000-memory.dmp	upx
behavioral1/memory/2448-341-0x00000000742B0000-0x00000000743AD000-memory.dmp	upx
behavioral1/files/0x000500000001a491-344.dat	upx
behavioral1/memory/1472-346-0x0000000073480000-0x0000000073569000-memory.dmp	upx
behavioral1/memory/1472-348-0x0000000074150000-0x000000007426C000-memory.dmp	upx
behavioral1/memory/1472-349-0x0000000073B50000-0x0000000073F14000-memory.dmp	upx
behavioral1/memory/1472-347-0x00000000742B0000-0x00000000743AD000-memory.dmp	upx
behavioral1/memory/1472-354-0x0000000073340000-0x0000000073429000-memory.dmp	upx
behavioral1/memory/2448-358-0x00000000742B0000-0x00000000743AD000-memory.dmp	upx
behavioral1/memory/2448-360-0x0000000073B50000-0x0000000073F14000-memory.dmp	upx
behavioral1/memory/2448-359-0x0000000074150000-0x000000007426C000-memory.dmp	upx
behavioral1/memory/1472-363-0x0000000073250000-0x0000000073339000-memory.dmp	upx
behavioral1/memory/1472-362-0x0000000073340000-0x0000000073429000-memory.dmp	upx
behavioral1/memory/2448-398-0x00000000742B0000-0x00000000743AD000-memory.dmp	upx
behavioral1/memory/2448-400-0x0000000073B50000-0x0000000073F14000-memory.dmp	upx
behavioral1/memory/2448-399-0x0000000074150000-0x000000007426C000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\WindowsUpdate.log	SRAgentSOS.exe

Executes dropped EXE 7 IoCs

pid	Process
2008	Launcher.exe
1472	SRManagerSOS.exe
2060	SRServerSOS.exe
2448	SRAgentSOS.exe
2344	SRAppPBSOS.exe
1744	SRFeatureSOS.exe
1592	SRUtilitySOS.exe

Loads dropped DLL 21 IoCs

pid	Process
2008	Launcher.exe
1472	SRManagerSOS.exe
1472	SRManagerSOS.exe
1472	SRManagerSOS.exe
1472	SRManagerSOS.exe
1472	SRManagerSOS.exe
2060	SRServerSOS.exe
1472	SRManagerSOS.exe
2448	SRAgentSOS.exe
2448	SRAgentSOS.exe
2448	SRAgentSOS.exe
2448	SRAgentSOS.exe
1472	SRManagerSOS.exe
1472	SRManagerSOS.exe
1744	SRFeatureSOS.exe
1744	SRFeatureSOS.exe
1744	SRFeatureSOS.exe
1744	SRFeatureSOS.exe
1472	SRManagerSOS.exe
1472	SRManagerSOS.exe
1472	SRManagerSOS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SRAgentSOS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SRAppPBSOS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SRFeatureSOS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SRUtilitySOS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SRManagerSOS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SRServerSOS.exe

Modifies data under HKEY_USERS 54 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication\Name = "SRFeatureSOS.exe"	SRFeatureSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	SRManagerSOS.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\GDIPlus\FontCachePath = "C:\\Users\\Admin\\AppData\\Local"	SRServerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	SRFeatureSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\GDIPlus	SRServerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SRManagerSOS.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	SRManagerSOS.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	SRManagerSOS.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	SRManagerSOS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	SRManagerSOS.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	SRManagerSOS.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	SRManagerSOS.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee404000000010000001000000091de0625abdafd32170cbb25172a846720000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	SRManagerSOS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	SRManagerSOS.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	SRManagerSOS.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
288	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe
2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe
2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe
2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe
2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe
2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe
2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe
2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe
2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe
2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe
2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe
2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe
2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe
2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe
2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe
2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe
2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe
2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe
2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe
2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe
2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe
2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe
2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe
2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe
2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe
2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe
2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe
2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe
2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe
1472	SRManagerSOS.exe
1472	SRManagerSOS.exe
1472	SRManagerSOS.exe
1472	SRManagerSOS.exe
1472	SRManagerSOS.exe
2448	SRAgentSOS.exe
2344	SRAppPBSOS.exe
2344	SRAppPBSOS.exe
2344	SRAppPBSOS.exe
2344	SRAppPBSOS.exe
2344	SRAppPBSOS.exe
2344	SRAppPBSOS.exe
2344	SRAppPBSOS.exe
2344	SRAppPBSOS.exe
2344	SRAppPBSOS.exe
2344	SRAppPBSOS.exe
2344	SRAppPBSOS.exe
2344	SRAppPBSOS.exe
2344	SRAppPBSOS.exe
1472	SRManagerSOS.exe
1472	SRManagerSOS.exe
1472	SRManagerSOS.exe
1592	SRUtilitySOS.exe
1592	SRUtilitySOS.exe
1592	SRUtilitySOS.exe
1592	SRUtilitySOS.exe
1592	SRUtilitySOS.exe
1592	SRUtilitySOS.exe
2344	SRAppPBSOS.exe
1472	SRManagerSOS.exe
1472	SRManagerSOS.exe
1472	SRManagerSOS.exe
1472	SRManagerSOS.exe
1472	SRManagerSOS.exe
1472	SRManagerSOS.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2448	SRAgentSOS.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe
2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe
2060	SRServerSOS.exe
2060	SRServerSOS.exe
2344	SRAppPBSOS.exe
2344	SRAppPBSOS.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2704	2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe	30
PID 2740 wrote to memory of 2704	2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe	30
PID 2740 wrote to memory of 2704	2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe	30
PID 2740 wrote to memory of 2704	2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe	30
PID 2704 wrote to memory of 2772	2704	cmd.exe	32
PID 2704 wrote to memory of 2772	2704	cmd.exe	32
PID 2704 wrote to memory of 2772	2704	cmd.exe	32
PID 2740 wrote to memory of 1016	2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe	33
PID 2740 wrote to memory of 1016	2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe	33
PID 2740 wrote to memory of 1016	2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe	33
PID 2740 wrote to memory of 1016	2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe	33
PID 1016 wrote to memory of 288	1016	cmd.exe	35
PID 1016 wrote to memory of 288	1016	cmd.exe	35
PID 1016 wrote to memory of 288	1016	cmd.exe	35
PID 2740 wrote to memory of 332	2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe	36
PID 2740 wrote to memory of 332	2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe	36
PID 2740 wrote to memory of 332	2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe	36
PID 2740 wrote to memory of 332	2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe	36
PID 332 wrote to memory of 2084	332	cmd.exe	38
PID 332 wrote to memory of 2084	332	cmd.exe	38
PID 332 wrote to memory of 2084	332	cmd.exe	38
PID 2740 wrote to memory of 2272	2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe	39
PID 2740 wrote to memory of 2272	2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe	39
PID 2740 wrote to memory of 2272	2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe	39
PID 2740 wrote to memory of 2272	2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe	39
PID 2272 wrote to memory of 1952	2272	cmd.exe	41
PID 2272 wrote to memory of 1952	2272	cmd.exe	41
PID 2272 wrote to memory of 1952	2272	cmd.exe	41
PID 2740 wrote to memory of 1920	2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe	43
PID 2740 wrote to memory of 1920	2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe	43
PID 2740 wrote to memory of 1920	2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe	43
PID 2740 wrote to memory of 1920	2740	2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe	43
PID 1920 wrote to memory of 1144	1920	cmd.exe	45
PID 1920 wrote to memory of 1144	1920	cmd.exe	45
PID 1920 wrote to memory of 1144	1920	cmd.exe	45
PID 2152 wrote to memory of 2008	2152	taskeng.exe	46
PID 2152 wrote to memory of 2008	2152	taskeng.exe	46
PID 2152 wrote to memory of 2008	2152	taskeng.exe	46
PID 2152 wrote to memory of 2008	2152	taskeng.exe	46
PID 2152 wrote to memory of 2008	2152	taskeng.exe	46
PID 2152 wrote to memory of 2008	2152	taskeng.exe	46
PID 2152 wrote to memory of 2008	2152	taskeng.exe	46
PID 2008 wrote to memory of 1472	2008	Launcher.exe	48
PID 2008 wrote to memory of 1472	2008	Launcher.exe	48
PID 2008 wrote to memory of 1472	2008	Launcher.exe	48
PID 2008 wrote to memory of 1472	2008	Launcher.exe	48
PID 2008 wrote to memory of 1472	2008	Launcher.exe	48
PID 2008 wrote to memory of 1472	2008	Launcher.exe	48
PID 2008 wrote to memory of 1472	2008	Launcher.exe	48
PID 1472 wrote to memory of 2060	1472	SRManagerSOS.exe	49
PID 1472 wrote to memory of 2060	1472	SRManagerSOS.exe	49
PID 1472 wrote to memory of 2060	1472	SRManagerSOS.exe	49
PID 1472 wrote to memory of 2060	1472	SRManagerSOS.exe	49
PID 1472 wrote to memory of 2448	1472	SRManagerSOS.exe	50
PID 1472 wrote to memory of 2448	1472	SRManagerSOS.exe	50
PID 1472 wrote to memory of 2448	1472	SRManagerSOS.exe	50
PID 1472 wrote to memory of 2448	1472	SRManagerSOS.exe	50
PID 1472 wrote to memory of 2448	1472	SRManagerSOS.exe	50
PID 1472 wrote to memory of 2448	1472	SRManagerSOS.exe	50
PID 1472 wrote to memory of 2448	1472	SRManagerSOS.exe	50
PID 1472 wrote to memory of 2344	1472	SRManagerSOS.exe	51
PID 1472 wrote to memory of 2344	1472	SRManagerSOS.exe	51
PID 1472 wrote to memory of 2344	1472	SRManagerSOS.exe	51
PID 1472 wrote to memory of 2344	1472	SRManagerSOS.exe	51

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-25_ad794fb9c600e13a73f10cceefacd9c7_hijackloader_icedid.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c C:\Windows\system32\expand.exe *.cab /f:* .\
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\system32\expand.exe
    C:\Windows\system32\expand.exe *.cab /f:* .\
    3⤵
    - Drops file in Windows directory
    PID:2772
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Windows\system32\schtasks.exe
    schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:288
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:332
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "
    3⤵
    PID:2084
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c schtasks /run /tn ASOS1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\system32\schtasks.exe
    schtasks /run /tn ASOS1
    3⤵
    PID:1952
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c schtasks /delete /f /tn ASOS1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /f /tn ASOS1
    3⤵
    PID:1144

C:\Windows\system32\taskeng.exe
taskeng.exe {36D62D77-02D2-4E1B-A2B6-8A4DFF5A76E2} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe
  C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe SRManagerSOS.exe 1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
    "SRManagerSOS.exe"
    3⤵
    - Drops file in System32 directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1472
  - - C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe
      SRServerSOS.exe -s
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:2060
  - - C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
      "C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe"
      4⤵
      Drops file in Windows directory
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2448
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\Temp\bd2_request_4402d75567e508.bat
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
  - - C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe
      "C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe"
      4⤵
      Drops file in System32 directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2344
  - - C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe
      "C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      PID:1744
    - - C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe
        
        SRUtilitySOS.exe -r
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\splashtop\sos\01_sysinfo.txt

Filesize
397B

MD5
6584b96c49019dece8a72b04a824b151

SHA1
fe628903adf20bea4a15b942dd74018c7dbc0035

SHA256
66b059b58ccd65d76fe63a94d58a61b7d898d5591e19de2895f8408c12ed1366

SHA512
74b892c010e75b8e6047c71e710ce598730e95500dc0f99fa14f20a4141a489226806b3682071abd93f3e4b8af55a238feaea27cc9dc212194e4c98ea9592165

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpack1.log

Filesize
1KB

MD5
93341d8eb5826fd2ed70c9434e5bf341

SHA1
3e9bc1c3c9129163b82aba8251fdcb5f72670ba0

SHA256
daaee9ebc2ec086cff9483670fb7f5306e617f22391e59e9328b721c898dedcd

SHA512
33a77367549460a26382f69b6abffb553d4cac3b49ab6b4a66e4c1ee4360350332c1d377274a28f208897c156c20802caaa9c1e69376f636d79b557c83dffd40

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\ASOS.xml

Filesize
2KB

MD5
8ce869f7dbbb2e38c8de76716e49b8a5

SHA1
de73a6b80fca67b06a7e1fec1904095d61b7b864

SHA256
1008bce6f93a3863164b0fea34bea07bd6ce304dffafac5615dc52bbb675bd47

SHA512
98afa1fe513beb31bca44e56fe40f0a049d3bb0ccc7cf4997b8fb2631774131c7232072e733674a3ed6771201d53788e94d595e8254a5ffc4d6cc45ff93417af

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe

Filesize
183KB

MD5
08a29097f8384bd8c806314f79ebb9d9

SHA1
c6a1640d28dccc27e25dcf15ca886e51d7765a89

SHA256
ff5e0bdb72f0b46a147ab0ba2eff65d7a5e864f4b371be2d405e1b3ead25bc0f

SHA512
a5c2e6ec498133d9619b9d39fba2b88bfdbaf4d11ac6bdd5ab0bb75427cfc9b6f05969f56e0e80a9a2e6251aa063903873836b80990798fd06dc399e6becd6cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe

Filesize
2.3MB

MD5
3796cc5c6401e84ac96808194ffae284

SHA1
a504f979aa111a38c444994257c069b88d9bb46c

SHA256
286ba3e210bfd4559e3ee7baa8978f07c26c1615b3614399a981b9e3eab13c26

SHA512
c42f7f35d0cdc8c17f930c3a497fc7e9dc62b4fe47892732310cf47f8e7e5f8153ab8fc50191e8460074203dbf9f4c22453799af9ad27c578fb08ceef26fe648

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe

Filesize
2.7MB

MD5
29a5338ee3a95b5801b1d05871e067ce

SHA1
0ba47bc6777798bf5ee1b3c9e4f1e6bb2a05f208

SHA256
04eb82a2d45cb03ccb25fbeb548ca04a623b163a74ba494c626800cff3a0cc60

SHA512
541ad13914f772ee052a9d020556e2685999eb13d78b20ccb0599e1f09aaeaa53ffda96323402793300cea63020b9b19ca18b920914356af1e8b3348becb7493

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRClient.pem

Filesize
5KB

MD5
a8b2b3d6c831f120ce624cff48156558

SHA1
202db3bd86f48c2a8779d079716b8cc5363edece

SHA256
33fe8889070b91c3c2e234db8494fcc174ecc69cfff3d0bc4f6a59b39c500484

SHA512
3b1fc8910b462ea2e3080418428795ca63075163e1e42a7136fa688aa2e130f5d3088ab27d18395c8c0a4d76bdc5ed95356255b8c29d49116e4743d269c97bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe

Filesize
4.6MB

MD5
0cef87003c916a27f6d2819dc190b47e

SHA1
e4a8f6a321e6abf565d920405455f674b46ba309

SHA256
15609e7ae9361f24d28b3c6937109bd70b39edb69723d2910a2a46804f1069fe

SHA512
29346e56a9b7456b7325ebc0d73a76557b385016ccf02881f01aadf2276a91c1f8420c6a9c352b196f3cbbb7519b976747045eb9042d032ea9cf1200dc27833d

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe

Filesize
5.1MB

MD5
f15aa86ebe8e57cd1f8015f02d60b0dd

SHA1
2901f5c2475cc7c9a6c68e3d06475dd537789208

SHA256
50209cdf8fb4874a145108cdeb285a5f25dbc85e76c21e663e28d16bc2bbbaf8

SHA512
3675c4a086e575e9da3187a6c9f4b2e5b267eff4b73d9948b4f6a60d8a1cee7380f0caad33eb7a7c7800f2f6ded842eb956b6f79c3cd9c98434757f6f535a62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRSocketCtrl.dll

Filesize
394KB

MD5
4c534eb38f42bc64f08c33182156d8a1

SHA1
eebd8f8c323e50945a273f1c197e91a9be17bbaf

SHA256
7fa2aa9e466e2f3b884d11984e3d68750cbcddb033f02f8aac4aeef1ee02faa1

SHA512
97d5182bb70e21c5c6e2d43aa62fca5a171aed3d3ac97a623a6fc187590ce3595ddbbf8b82b969be86ea0fed22c5447819a0f72b1304aef1560bdfd5f0054e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\dbghelp.dll

Filesize
1.0MB

MD5
eeda10135ede6edb5c85df3bd878e557

SHA1
8a1059dfd641269945e7a2710b684881bb63e8d2

SHA256
4b890de3708716d81c1c719b498734339d417e8ffc4955d81483d1ebc0f84697

SHA512
a56bfc73537e36efba8e09ffd0b2f6bfc56bc4cb4fe90b52858c7afd5d67db23ccba51c8097befe4ecb5082ba66c2b2612e2975ef3448252c48b97f41d12d591

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libcrypto-3.dll

Filesize
1.3MB

MD5
72d867e8c7a84374aa72bf7feca4334e

SHA1
bbe4c42beb19a1f23bfbcfc5a67164d5ea29784e

SHA256
17d29b81faea714b5a93008711d92d1329b22244a2e9f56736064caa4fd3cd84

SHA512
b523df6ffe4a51180cdf2bda761b01a521391a6b24e081309c33c91835c19be96015b932d527822f5837802a979a3c48f5cc111892c47c082e8bcb8f2115ac3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libcurl.dll

Filesize
365KB

MD5
278d7f9c9a7526f35e1774cca0059c36

SHA1
423f1ebd3cbd52046a16538d6baa17076610cb2f

SHA256
12177dae5e123526e96023a48752ae0cb47e9f6eeafc20960f5a95ca6052d1b8

SHA512
75f8c4856fb04b2d5e491f32584f0aaefa0d42356e12320cbcb67df48e59c7f644512c2c5146fd7791c2ccb770fd709a8d8e4c72eafb74c39e1336accb49a044

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libssl-3.dll

Filesize
333KB

MD5
99a6a9656da926af8aa648d50b47dcfb

SHA1
81db96003bd8f63250abc7e59fb35e0227d3f28a

SHA256
fdf1f9d0af4ff8e5cbd4387d6849327e91f0eedd1befe58d7dd8b6ec40e90a98

SHA512
16e850fdabf76a11ed4176e0fd57dafb64faf9551ea220d003c5a86aff8c39ab40d66f7ac7fcc6ef71cfa7e1d6268bbc23e32aa5cf69df58a5d05f666701f3c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\streamer1.cab

Filesize
16.2MB

MD5
9815229c7b0aa7f1b55262e73c7cdd66

SHA1
60db5ee3f9d4d8d2ec52828e1b0ec034ddea1466

SHA256
ae51436f53bd5e22a6acb469f909079c7df64f5c27c90c9c657d4df7cad44912

SHA512
3ceef4497a2834c5d4ef9f044000f05894a1a018a428507552be78448a73d7d71fd8894e593121e8c32adf8bbb89374efb0f6b69fac118327c8a94cf0739c100

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\Temp\Tar371C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\bd2_request_4402d75567e508.bat

Filesize
160B

MD5
124a3b08aaa1c9a572d952a3ed560036

SHA1
28051041c507b8623b235be410bb245ec62acce8

SHA256
edc27105bbdd0cf9cb6448f8ab1e138ea2a2b7d8e760db4f7cd5a98cca79072b

SHA512
e8db8adcc0ff46c709b3cc80ce7b38fa6eb28b27546431e84f52a70058df952bd82c10c7a37b384e4d8dd3e36ea777dc541637e42753119732ce5a5ae42dd55a

Download Submit
\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe

Filesize
1.8MB

MD5
4d6fe30f2c337df644b2412d4d393bc6

SHA1
37a201b4cdeb733447abd1401154df149fa9e2c7

SHA256
d1e89847094f1f914e20bbe087f5c9e4a2b82188f6b5653b42315f9e3b705c60

SHA512
2f94246881ec0668ebf26298067ae84a3906253a03998a1eedb57f03be70c24dbe1a304f4b1168af476d781427d5fe7b08593ca21fc70098b18e34353e505b9d

Download Submit
\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe

Filesize
156KB

MD5
fdbc20567f6bd8e821047b0dc2afdc65

SHA1
d226a6ee974ce193e2db692f25ebee0b8efd3952

SHA256
42920f49bef6e5e79bec16ec0e7f8f8d670dba3d50a6b5fb8a55d44a9265ee7d

SHA512
1c6d7da4dbbea0b7a24cae456c6463e323d8a9c2ced5ad640f48857e2d6db6957e847c8c95aa9d716070e48d70757352370e9411cedc106ed5dcd737dc8775ae

Download Submit
\Users\Admin\AppData\Local\Temp\unpacksos\1\avutil-55.dll

Filesize
548KB

MD5
a9a9d31764b50858a01b1fb228406f06

SHA1
7a313c46f049287045992f54f9d6eda9db568ef8

SHA256
c0babd7670124bb298d3ba6a8ee5ae33ad1030c08a18d8b8861f5d83003eb645

SHA512
164d5497aa91a5b4742a291f589400bc0b189af946615a2f04e6cfd1ed598a542f7521e4dd79aab99414846a3c391255309f911c247ef446a0483d9fab6efdfc

Download Submit
\Users\Admin\AppData\Local\Temp\unpacksos\1\swresample-2.dll

Filesize
190KB

MD5
4a2f597c15ad595cfd83f8a34a0ab07a

SHA1
7f6481be6ddd959adde53251fa7e9283a01f0962

SHA256
5e756f0f1164b7519d2269aa85e43b435b5c7b92e65ed84e6051e75502f31804

SHA512
0e868ad546a6081de76b4a5cdcc7d457b2f0fb7239dc676c17c46a988a02696b12a9c3a85f627c76e6524f9a3ed25f2d9b8e8764d7e18fc708ead4475591946f

Download Submit
memory/1472-278-0x00000000742B0000-0x00000000743AD000-memory.dmp

Filesize
1012KB

Download
memory/1472-354-0x0000000073340000-0x0000000073429000-memory.dmp

Filesize
932KB

Download
memory/1472-362-0x0000000073340000-0x0000000073429000-memory.dmp

Filesize
932KB

Download
memory/1472-279-0x0000000074150000-0x000000007426C000-memory.dmp

Filesize
1.1MB

Download
memory/1472-296-0x0000000074150000-0x000000007426C000-memory.dmp

Filesize
1.1MB

Download
memory/1472-298-0x0000000073B50000-0x0000000073F14000-memory.dmp

Filesize
3.8MB

Download
memory/1472-297-0x0000000073B50000-0x0000000073F14000-memory.dmp

Filesize
3.8MB

Download
memory/1472-295-0x00000000742B0000-0x00000000743AD000-memory.dmp

Filesize
1012KB

Download
memory/1472-211-0x0000000074150000-0x000000007426C000-memory.dmp

Filesize
1.1MB

Download
memory/1472-212-0x0000000073B50000-0x0000000073F14000-memory.dmp

Filesize
3.8MB

Download
memory/1472-363-0x0000000073250000-0x0000000073339000-memory.dmp

Filesize
932KB

Download
memory/1472-347-0x00000000742B0000-0x00000000743AD000-memory.dmp

Filesize
1012KB

Download
memory/1472-349-0x0000000073B50000-0x0000000073F14000-memory.dmp

Filesize
3.8MB

Download
memory/1472-348-0x0000000074150000-0x000000007426C000-memory.dmp

Filesize
1.1MB

Download
memory/1472-208-0x00000000742B0000-0x00000000743AD000-memory.dmp

Filesize
1012KB

Download
memory/1472-346-0x0000000073480000-0x0000000073569000-memory.dmp

Filesize
932KB

Download
memory/2448-341-0x00000000742B0000-0x00000000743AD000-memory.dmp

Filesize
1012KB

Download
memory/2448-340-0x0000000073B50000-0x0000000073F14000-memory.dmp

Filesize
3.8MB

Download
memory/2448-339-0x0000000074150000-0x000000007426C000-memory.dmp

Filesize
1.1MB

Download
memory/2448-229-0x0000000074150000-0x000000007426C000-memory.dmp

Filesize
1.1MB

Download
memory/2448-358-0x00000000742B0000-0x00000000743AD000-memory.dmp

Filesize
1012KB

Download
memory/2448-360-0x0000000073B50000-0x0000000073F14000-memory.dmp

Filesize
3.8MB

Download
memory/2448-359-0x0000000074150000-0x000000007426C000-memory.dmp

Filesize
1.1MB

Download
memory/2448-338-0x00000000742B0000-0x00000000743AD000-memory.dmp

Filesize
1012KB

Download
memory/2448-230-0x0000000073B50000-0x0000000073F14000-memory.dmp

Filesize
3.8MB

Download
memory/2448-398-0x00000000742B0000-0x00000000743AD000-memory.dmp

Filesize
1012KB

Download
memory/2448-400-0x0000000073B50000-0x0000000073F14000-memory.dmp

Filesize
3.8MB

Download
memory/2448-399-0x0000000074150000-0x000000007426C000-memory.dmp

Filesize
1.1MB

Download