Analysis Overview
SHA256
1990c98db7683ac36db52a8abf09d2973cd699e2428f1a84d5a85dce8911c14f
Threat Level: Shows suspicious behavior
The file 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid was found to be: Shows suspicious behavior.
Malicious Activity Summary
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Checks computer location settings
Drops file in System32 directory
Executes dropped EXE
Checks installed software on the system
Loads dropped DLL
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
Uses Task Scheduler COM API
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 14:58
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 14:58
Reported
2024-11-07 15:00
Platform
win7-20240903-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\DPX\setupact.log | C:\Windows\system32\expand.exe | N/A |
| File opened for modification | C:\Windows\Logs\DPX\setuperr.log | C:\Windows\system32\expand.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c C:\Windows\system32\expand.exe *.cab /f:* .\
C:\Windows\system32\expand.exe
C:\Windows\system32\expand.exe *.cab /f:* .\
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1
C:\Windows\system32\schtasks.exe
schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "
C:\Windows\system32\schtasks.exe
schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c schtasks /run /tn ASOS1
C:\Windows\system32\schtasks.exe
schtasks /run /tn ASOS1
C:\Windows\system32\taskeng.exe
taskeng.exe {D67658F6-E54A-475C-8456-8E307D2B756D} S-1-5-18:NT AUTHORITY\System:Service:
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c schtasks /delete /f /tn ASOS1
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn ASOS1
Network
Files
C:\Users\Admin\AppData\Local\Temp\unpack1.log
| MD5 | b0bf3207ca138fd15533a725fd5bb807 |
| SHA1 | c01edf19632643acf224f5ebc3c9547fa71228a1 |
| SHA256 | 90338c0ff5083a91f176c785e58b4e8a536cdaf273bdc2c1c5c479db652f1044 |
| SHA512 | 39d6d314c2d74e594d2d007e56db23f652043973fb3b439a3082368caec5b0ad9314f25fd48a533cc0079c36827a2a2f477e0b88eb46ec82d2eb03599e88ce16 |
C:\Users\Admin\AppData\Local\Temp\unpack1.log
| MD5 | a6095d55c252fe50fe6e2238b615b408 |
| SHA1 | a2b5cd42434921fac9d8f6c5a9b9a15a221b1e32 |
| SHA256 | 1fb07064aa7aaaa61babbe78eb05cf4bc446bee9e740a012b6459a48b9185808 |
| SHA512 | deb1e27929c7b866be7e20822a476cffec00da64c62e997693533aa626041976e4107ee3a3c6467db89ecf77a935e78c049eb7df8a9e2456d5a7b4d097493031 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\streamer1.cab
| MD5 | 694108221033253d3fe1ec0d42708b35 |
| SHA1 | 875f186db147a342e2326489fef105737f726046 |
| SHA256 | 50f163445bd8465bfda6075a25b4204dab3b04025b351f98aff3d1354f889c62 |
| SHA512 | 20046e6e3bbb9ec39dc1e9aed6fee483119b6154881ef6c9d33b8132548e3d6e2d4a870547d3159688902d654f3c594de170aaefdafb723edc28989358ca8a47 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRClient.pem
| MD5 | a8b2b3d6c831f120ce624cff48156558 |
| SHA1 | 202db3bd86f48c2a8779d079716b8cc5363edece |
| SHA256 | 33fe8889070b91c3c2e234db8494fcc174ecc69cfff3d0bc4f6a59b39c500484 |
| SHA512 | 3b1fc8910b462ea2e3080418428795ca63075163e1e42a7136fa688aa2e130f5d3088ab27d18395c8c0a4d76bdc5ed95356255b8c29d49116e4743d269c97bf9 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\ASOS.xml
| MD5 | 8ce869f7dbbb2e38c8de76716e49b8a5 |
| SHA1 | de73a6b80fca67b06a7e1fec1904095d61b7b864 |
| SHA256 | 1008bce6f93a3863164b0fea34bea07bd6ce304dffafac5615dc52bbb675bd47 |
| SHA512 | 98afa1fe513beb31bca44e56fe40f0a049d3bb0ccc7cf4997b8fb2631774131c7232072e733674a3ed6771201d53788e94d595e8254a5ffc4d6cc45ff93417af |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe
| MD5 | 5d4047d09fa30aafc2ee265afcfdacc4 |
| SHA1 | 47caafb8d67d97b0347cca98e8763349485b5e77 |
| SHA256 | ac54dccb48af54e59a10dbc4b58963100968cf578c19863a0370b377386ec5d5 |
| SHA512 | 0d1d9048691d249e6ebaf6ae5fa6016022b79b7be6bdd9232613e3ba7e85fd5132e6c01fc8b07171d38a0122ac7d8c584ee5e35eddf0632cb3bfc22b05821737 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\swresample-2.dll
| MD5 | 4a2f597c15ad595cfd83f8a34a0ab07a |
| SHA1 | 7f6481be6ddd959adde53251fa7e9283a01f0962 |
| SHA256 | 5e756f0f1164b7519d2269aa85e43b435b5c7b92e65ed84e6051e75502f31804 |
| SHA512 | 0e868ad546a6081de76b4a5cdcc7d457b2f0fb7239dc676c17c46a988a02696b12a9c3a85f627c76e6524f9a3ed25f2d9b8e8764d7e18fc708ead4475591946f |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\stprintmon_x86.dll
| MD5 | ddbcbced9ccba27d296b680d04178b1d |
| SHA1 | 5be1ef49678e4f9250b675dfe595df1219dd7ef9 |
| SHA256 | b23b42e24eab4e2f1dd94711eec741f94d39f5ebaf238820a0b9d464522c24d2 |
| SHA512 | b913058a50a4235925f208e9fa8740dda1a070168285401fd9c9032c0cc782887f5d92a0d68796d7473e61ee8ddc1e863503c288cad1f99c233a0dede37cb314 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\stprintmon_x64.dll
| MD5 | 7dd3ca728e061f9c438209935df41fd8 |
| SHA1 | d291c17619fb2e9b8a4cf07b53a56dc60cfb4c8e |
| SHA256 | f19f300e4623e3b57f870d8e4b150f2e70d29e6cb47750671d53667bb0804202 |
| SHA512 | e7d0ab0eb37f6b245b1ebde46c2d9184ab801eb659e4f4ed7c2afd07843a1646612290ad3c315ee9bf7fc1a9425b58e2a03810014ddbb621eb46b331aa2e753e |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\stprinterx.cat
| MD5 | 1d56a3f8d7f5dab184a8cc4feddaa173 |
| SHA1 | 75d291cb96fdc05d54c962f1cb08796ee439b22f |
| SHA256 | 84e1a32b4975e92477cf6a36d8931921da735ef988e0c09a2b056f2904541b1e |
| SHA512 | fb58167a98d9309a703f06d5c6414ab707b37e90a26bfc1c0812b10381c116fa6c7c26ac30fc8570b8f87186775bc64e7af6d409a7d213fc3b4b76b0b7a76fb6 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\stprinter.inf
| MD5 | 313535621266212971e303af0af4fe21 |
| SHA1 | d81f9d3f7b638de5efca0ecb0162a76485e2c2bf |
| SHA256 | 0b60a283cb98034cee13118bf1f885a644479cc6f4b19d9e4d24a5fec6064a1f |
| SHA512 | 8a1a716a2cad85410f009ee0cdf570f4ca36e3a182927ca5b836f3fc0bee466f0c4e8b583694a6a4014ce60c45a2439119bf0c1adda0ed168053e9f08a6df608 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\stprinter.cat
| MD5 | 2dac6568b843ebdc5c98598ca32918be |
| SHA1 | e7740e4be7f71a82adbb6e5224d33534e237614c |
| SHA256 | eb61a0e06bf8c69597f9bb1909e3eb4f926e49800c3f9721fda3007993da5ee7 |
| SHA512 | 1bc8aa82e68911f5ee1835d19cf49a736c1c35c2f6b4fcd48c3c6fcf7ff6958400d1e815c5e891e172af9035232175bb00e8a21f5a0590f02dc683f45a6c3d8b |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRx264WrapperExx.dll
| MD5 | c0b530dcb39bffa1b2a64dcb9dce67cc |
| SHA1 | fc80610e9876b750b5c71cdba679610320c3df49 |
| SHA256 | a4103499c3584f3d2274e8d81b1355312d7ccf2ca794c746915ada79c12f0d7d |
| SHA512 | 1326ad4b4ee3920e21449a0367e5912605aeaaf5c692a9042feebd2e4b789408de605a7154d2dcd8a038358a98457312403c7ad550b3cda64ed9d3e81e23459c |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRx264WrapperEx.dll
| MD5 | 6b82a354476fa7c56175ee060f08e2c9 |
| SHA1 | d77566d72c6f1c796c2e8087a9bd04920455b138 |
| SHA256 | 754c8d6c7c91b7620a7ee34665c28f0be67686591e5b49a7e9b8c33baef6c37e |
| SHA512 | e5241dcf50b4d6003fcf1fe14f8693cde525cdf020e7cf7557b76ac954102722c7721bde48dae08a4524a12e611af950588adbeebc95158901bca6238ce2fa51 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRx264Wrapper.dll
| MD5 | 861875d4cd48d76e650270655c6e0b93 |
| SHA1 | 02007cb5e10bdd433ec0e754207ba04cb1c1d598 |
| SHA256 | 41b65f25f5a5b9635d28d467c3e423cd533e239a641922326ae41f329a5b6be5 |
| SHA512 | 1109e26fb73c677492b79f0c1c1f3adccf11962a848497046bde7ae35c20a5fc48f33f415d6d231e3867b279d80a0069347f1365bac1ac5658f3e3a1ed8e6020 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRVideoCtrlEx.dll
| MD5 | 7a90ec5109e67e431caf2fd55d41f82f |
| SHA1 | 412f6a3e795502cd39f76fd51b138e06a081f146 |
| SHA256 | 2fa77b33ccce1b5412a9866acb63b050f6f94485ef8aec378bc82d02929a1001 |
| SHA512 | acdbe23b0fa784ea5433a223aea32cf1c86436f7c9f4e715a10b6a891b4d6b8ceaa943c26444b5813afdb6c9c4de6f43b81a632d74920373c0d802613dfd2ed0 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRVideoCtrl.dll
| MD5 | 562d29b934bfb893af36f03cba478ae3 |
| SHA1 | 5aa2d1a95ee82dadb2ee604e503ceaf3fbfddd6f |
| SHA256 | adeddb37d54e44f84be0f3824a5c2e98edf831d6e16836c4cdf34fc47da4bbf3 |
| SHA512 | 0e85a3bc34d44815442daaecf910ae02216b28891d785c2c85072fb2824e0ac4056a658c76522c4659f5275f975f291c8bc9217856f52ef1db6778069fcf8a20 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe
| MD5 | 4a3e37f3189e286732c097625f66cbeb |
| SHA1 | 07443d2e446696ea3d454fb511785c54f1b9d692 |
| SHA256 | 9d5ad887858f91b394267a193caefdd0b2247b510ce684028d5abde1c2ab0610 |
| SHA512 | 5fb1d9467688cea1024e45d2e9bf25b5bd2b272d7471077a849499ef4da5d03de720b64fc111c87b913e85a9c37882ec01e3af2fe71280d75a353f76ebad8160 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRSocketCtrl.dll
| MD5 | 4c534eb38f42bc64f08c33182156d8a1 |
| SHA1 | eebd8f8c323e50945a273f1c197e91a9be17bbaf |
| SHA256 | 7fa2aa9e466e2f3b884d11984e3d68750cbcddb033f02f8aac4aeef1ee02faa1 |
| SHA512 | 97d5182bb70e21c5c6e2d43aa62fca5a171aed3d3ac97a623a6fc187590ce3595ddbbf8b82b969be86ea0fed22c5447819a0f72b1304aef1560bdfd5f0054e98 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServiceSOS.exe
| MD5 | 7851479c0f15c3a96d02046c6b5ebbd6 |
| SHA1 | 692fa8dbbe27e42947d58abfeed458e64beaf255 |
| SHA256 | cd6f128476a732ee309e839aa056ee32fd7f98cdbeddf3e93a5abc552fa3d05f |
| SHA512 | 3065f9c2c83928a9173ac39e88dfc51503a08a62df4596a0369f47b03b9285482ac88c43bc09be1dee740d5ac76741861647e998c52414b02871bb998d7ebb61 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe
| MD5 | 393830c320fccbced08ed693bdec80f0 |
| SHA1 | 1fc1d88d4db881af32540926b1ac901af72d9ff7 |
| SHA256 | 6fd3f1370638043928215e1dfd6e29c0bbc250188001c2e356f708c147c11359 |
| SHA512 | 8cd4f8af20b6a35e60e6522971e1e2ed2a4cdbe26215051758e690291d077fcc8c3e2d407878280fe4858e69daad4088381f573a8058754bf3f0bb44f2e64389 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SROpus.dll
| MD5 | 7c3b0175c350e6aea7c5f4f331fb7457 |
| SHA1 | 46fe50380b66c64a98b08017dc0d8566d9b22847 |
| SHA256 | a83cdfc6addac319e9cf2f950958db790ca430f96d900b5205828ebe9b2829a8 |
| SHA512 | 4b3972eb174ae834b39f34d51d19aca9eace14cacc54d0314dfbde8b38c2a0514e81b5861bee9cf8465313f6b98db31b0c2d314b052cc8f5cdf58c7af7e61aac |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
| MD5 | 6bbf902fcba6e17773232805831e9b73 |
| SHA1 | 09f23cb4861a07541eb0e57ddd67462ea3697d5c |
| SHA256 | ba7ee39b274953a47678cc1c5bf7d0c82f4fdba483a760ede46be9c27f91c4d7 |
| SHA512 | 5c86b9f22bc61c078b219c7463b0dd8ddc39e40dffa620b08b6eca2c2d28b18446c06074ae1260baa2cd0c07c4a08135590b7f722a24a360a8ffa712187d707e |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOSNoUIA.exe
| MD5 | aa8be7cdb4d5eda4e2a986f695c0941b |
| SHA1 | 85cbcebf8c75e0b9172419d188e18100955cf5f0 |
| SHA256 | 0ba061d85c9e38f14ac2350c58934d3ea674c853dcbd85643f01a15bcabcc6a1 |
| SHA512 | 9af66cd21c31608412a15cd090f0d9361097df5b98ccbd0179bfa88bb0002bc5565c110d8f320e2efdb6a85681774c94da3143d30cc7fc863e1a126c45d7e43d |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRChatSOS.exe
| MD5 | e5c1742057210dab9bd690de1ed762d3 |
| SHA1 | 6c4e3597289653855e2e948faeaf861550e77655 |
| SHA256 | 0c80b9ca4c2dcaae8cd90e7b385c0215143ab3a2c85558529d652d2e87eb4a3a |
| SHA512 | 6fc5c61da8a5162fce609970df89e451f99d227e27778e14ec85b3440b448c3da5507fe097ead5c6d796080546836953bfb7035c989d2089cdb63089d26ce886 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAudioResample.dll
| MD5 | a84334edd4524897aea6a3e48aee1370 |
| SHA1 | 8505d4b14647d44cbb2f6e7b9f03b2b96840a920 |
| SHA256 | 40eefba6b13c35261cba798dfb07f87a1f314879c3b381dc19bd2f187c42f2b1 |
| SHA512 | 7c46a7b483bf0f3889cd4dc882e3739769dca2476f8970bee73c6ff823716cbd814d8aae51ce9db31d4eec559d8c1bfeb6188b6cdaacf3e47d497a643390c6be |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAudioChatSOS.exe
| MD5 | 27db41a9cedfa6fec4ee711ec63b718e |
| SHA1 | da677689c8b491d700ff5c646d4a134df49012ff |
| SHA256 | 35b3e7cf77f7f089710946cc97d5fba9e57b3a29443f1dde35609431af4d9933 |
| SHA512 | 9bfdc3bfe37d914c422e865391110b2fac3ed110311b50af107d284821483b47c4e58d5e1a268d9639e82c1d082a03ba74ee71d846492bcbf611ec3b99af3a59 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppSOS.exe
| MD5 | 12faa60ab94ab21be3a4d377ccdf888e |
| SHA1 | 9edaf35984380afc625f90185c93d17429b77462 |
| SHA256 | 00c05255babdbf2c01c61ba61f499fecf3686da3ea3e17946f60d72575e7efd9 |
| SHA512 | 90b5d0f4efc73a668d79e2b456066cff78bf4d5f5f302ae93aad42ed7bd72fad22a9fc260443d98643d923b241faec38adff696b556fbc6968701d60dcc50ba3 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe
| MD5 | a490f9458c33bd398784f2a279191fe5 |
| SHA1 | 75608efd13ec19a2bd9adaf4a3c213fe8b56b58c |
| SHA256 | a4291f8933c7c7f86f41b6d8c55b38b32d423ca2de2fd849bfb34cfaa3a423c9 |
| SHA512 | 7fe5000e801e23d7f606b44e630069b3b1da3610b7f24710dfc45692d5c1f630cae0008ce7ec64f943725a33a290fd22621dec7ff0b22496a7a8a79f95777f3d |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
| MD5 | bec6156158a67602b09cf0da73030c97 |
| SHA1 | 7d3b3f04b1b0687c2f57b4eef16025e5b510078a |
| SHA256 | 915ab66486ebc2d53e00fb67009e9075f5f38362ec9991dea0edd22e1f376b85 |
| SHA512 | 83a9db2a90bf15fbfaa11fa22ca360645b0dc75dfd6ec78cd8e92d1545b25661338d748b2bc135382e46ce14825e4c1e93ac08f5f9d7c357ff60fe1748f06a3d |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\reboot.bat
| MD5 | abe8e3568b6d951e7dd395da46531932 |
| SHA1 | 304d81c1b48e16533ef691a9c965818136b9583c |
| SHA256 | eb700422c31c15757a6c70141274a184d291aac3bde191a964f75a90bc084143 |
| SHA512 | 19a79d90883103302bddbac8a765c6a5196fb78c223d911633285b4ba44ebffa9c64690102498e3bef5991dba0f28847473a44d4f9aa7d637a4c4d3f1efea12e |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\p_unmount.bat
| MD5 | fa3c191799254e542687f1f5d0974bc5 |
| SHA1 | dc85aac2aa31cd3de9017e7e099581457ad4fbf2 |
| SHA256 | 347b12e6e2fc79e2a3668625341d7642d531159ffe5b01ab2bc5469e0efc6b3f |
| SHA512 | 635689814e63084910541ba68fe8ade8fdfbc3d0100afd61ddd13d07e61f3478ba75e4d24aa7b26df21a3e46c4ed2b1c8789520c5634cac63cfe32dcb1e8686e |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\p_mount.bat
| MD5 | 88e59700f53de95d2847b9687764be30 |
| SHA1 | cd5780dbf1c711b9c28dc001f4149ba3251becf7 |
| SHA256 | b085f4e0d6a7a4dc967c96d7c318cb749bc497135fd9e35d7ad0c88e6c53f577 |
| SHA512 | 6e7d2fd4cf87b63bab39e225362ecbe60f52fab0da42c97834b8ea59d653cdbd06b98e2c490c5465b1999af2f7869f729cbfc34e55d5ecc768d85d48b9874374 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libx264-116.dll
| MD5 | 86e88f1fb340a5277c93ea1ce13bbc3a |
| SHA1 | 89ac87a63b5f8ff5510a555f5fb9f033be6ca684 |
| SHA256 | 36835ddabb167330b4714b106b7c26e8dac6a9acf7c48a9967049b0faa6bc709 |
| SHA512 | 2131686ffae474ad8a98a20b18ddd5a9e19c86b76fe2f3b4a2e648f3990f43ea4855ad72f2b33c9d89174e23a4fbae1f9d92eda0672a32d1ff90e7f3a79ab996 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libssl-3.dll
| MD5 | 99a6a9656da926af8aa648d50b47dcfb |
| SHA1 | 81db96003bd8f63250abc7e59fb35e0227d3f28a |
| SHA256 | fdf1f9d0af4ff8e5cbd4387d6849327e91f0eedd1befe58d7dd8b6ec40e90a98 |
| SHA512 | 16e850fdabf76a11ed4176e0fd57dafb64faf9551ea220d003c5a86aff8c39ab40d66f7ac7fcc6ef71cfa7e1d6268bbc23e32aa5cf69df58a5d05f666701f3c0 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libcurl.dll
| MD5 | 278d7f9c9a7526f35e1774cca0059c36 |
| SHA1 | 423f1ebd3cbd52046a16538d6baa17076610cb2f |
| SHA256 | 12177dae5e123526e96023a48752ae0cb47e9f6eeafc20960f5a95ca6052d1b8 |
| SHA512 | 75f8c4856fb04b2d5e491f32584f0aaefa0d42356e12320cbcb67df48e59c7f644512c2c5146fd7791c2ccb770fd709a8d8e4c72eafb74c39e1336accb49a044 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libcrypto-3.dll
| MD5 | 72d867e8c7a84374aa72bf7feca4334e |
| SHA1 | bbe4c42beb19a1f23bfbcfc5a67164d5ea29784e |
| SHA256 | 17d29b81faea714b5a93008711d92d1329b22244a2e9f56736064caa4fd3cd84 |
| SHA512 | b523df6ffe4a51180cdf2bda761b01a521391a6b24e081309c33c91835c19be96015b932d527822f5837802a979a3c48f5cc111892c47c082e8bcb8f2115ac3f |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libcelt-0.dll
| MD5 | d858121c47064f3dd7dda829d1e01620 |
| SHA1 | 5f46afad5eef3ca6e06d6d9dd660ba21a1cad711 |
| SHA256 | c4324843f73b573d9d569012e37d17a34e17d0dba55cb77993531a42667994b5 |
| SHA512 | c807d41739fa6519f0c3662c47bdd58860f87068177a9024c0e6c98fe9a27e2c73a57f81909afd9a7756f3d54c88ac8007ee37e9b3fa5f0a04e3f8a9bec74d20 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\legacy.dll
| MD5 | cf52dbefbe8bc2dcd493cdbf050048e1 |
| SHA1 | aed132b049c77fd77645d07b443e1b4e96cb5e51 |
| SHA256 | 8080e398edc43e652c0a104f62ad3c865e9bdc75c2e3936870deaf43fedbc3a4 |
| SHA512 | 75133444a893002b9933eb3a44b66cd862fedc9c05579b188eb250bbc3cc00c61533fb3aa58a1d9b89b45f83cff8a3b02cb0fb605b299e0e7bace13b99020207 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\legacy.cnf
| MD5 | a43b7d72b482d48804b377d8832c2693 |
| SHA1 | b1598efda8e9863f520abef9aaa942c313c002fd |
| SHA256 | 9acde3809e2c02fe5d6c59153aefffe6628996ec5cfb7c2385865dcd1ec8be7e |
| SHA512 | f0777a8f79e70f8a12f531c3e77f5241e9ed46acc6a1cbf06ff7a29d91ee281e4cd2a9c1832642992fe74d33b052670f85439e5925fdb7c44de60014e53712da |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe
| MD5 | 11bab8f4bc4d4866478d292f86d87d90 |
| SHA1 | 2a64756a78c369bafae006bac8e4748d3fbeff9d |
| SHA256 | 543be8a168f0e74bc57cfbb4da66966ef195a40b642f9d09b4ddb19e57c18724 |
| SHA512 | fde665f35b2a3a7b7bf217f8930aadee7583ec7e94b03c59a6ea282f4009c4cc1508380071c95b3742bddd5c8f2589a776d75d3c6bc14a2dbf64e8bcee1e81ef |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\fips.dll
| MD5 | 68d8d459ee6a5027ffe35302b21d66fa |
| SHA1 | 91299e1ff75b293a18105fbdfcb2cde92a6c8507 |
| SHA256 | 0ef5739fcc3850411e1db6af2e194e25c7e473bb950a387a7c851fe02660b4e8 |
| SHA512 | c032e6c057da58374ff51b50b2146e4b27eb6a18a452668eb2c78e3f4e729399f303873a2dc40f5910826a4f23146dfb851b62df3d5948a9039ec6ed23e53b32 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\fips.cnf
| MD5 | e077993e994d28bbc7502681280c5551 |
| SHA1 | 9c3b360f9e81ccf8c8b56be25e4ce9d67d1f61b4 |
| SHA256 | b8d539255fb1ea42ee3b06f0e314b037e35701e2b258272889d866dd3419526b |
| SHA512 | b2fed3539bd94999f9f9a2cfebac6a3632212c10f3d97a5129e444fc548d1685877d0810790b71d342a4ef9080d1efc73bf7a9493b5ccbd93232231ee2251abe |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\dbghelp.dll
| MD5 | eeda10135ede6edb5c85df3bd878e557 |
| SHA1 | 8a1059dfd641269945e7a2710b684881bb63e8d2 |
| SHA256 | 4b890de3708716d81c1c719b498734339d417e8ffc4955d81483d1ebc0f84697 |
| SHA512 | a56bfc73537e36efba8e09ffd0b2f6bfc56bc4cb4fe90b52858c7afd5d67db23ccba51c8097befe4ecb5082ba66c2b2612e2975ef3448252c48b97f41d12d591 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\avutil-55.dll
| MD5 | a9a9d31764b50858a01b1fb228406f06 |
| SHA1 | 7a313c46f049287045992f54f9d6eda9db568ef8 |
| SHA256 | c0babd7670124bb298d3ba6a8ee5ae33ad1030c08a18d8b8861f5d83003eb645 |
| SHA512 | 164d5497aa91a5b4742a291f589400bc0b189af946615a2f04e6cfd1ed598a542f7521e4dd79aab99414846a3c391255309f911c247ef446a0483d9fab6efdfc |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Acknowledgements.htm
| MD5 | ab3d7c0401590bbdaf4b3c84592d24d6 |
| SHA1 | 756f86b49ca2035638f77bbeb60cfe6a827b553e |
| SHA256 | 4428a8b3f1a63312918ff5f8e1d5ee1f6eeba9d73a336721338d494d2b6e5f6c |
| SHA512 | 24aac8d02347ef3e226531ca15b71714cb53546c7aa1b4d961a72e097c3528ae2590b00ecbaa7e80815e99fafb6919d234e957dfcd08467cd753b24c004b6124 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-07 14:58
Reported
2024-11-07 15:00
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\LOGS\DPX\setupact.log | C:\Windows\system32\expand.exe | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setuperr.log | C:\Windows\system32\expand.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c C:\Windows\system32\expand.exe *.cab /f:* .\
C:\Windows\system32\expand.exe
C:\Windows\system32\expand.exe *.cab /f:* .\
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1
C:\Windows\system32\schtasks.exe
schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "
C:\Windows\system32\schtasks.exe
schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c schtasks /run /tn ASOS1
C:\Windows\system32\schtasks.exe
schtasks /run /tn ASOS1
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe SRManagerSOS.exe 1
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c schtasks /delete /f /tn ASOS1
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
"SRManagerSOS.exe"
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn ASOS1
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe
SRServerSOS.exe -s
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
"C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe"
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe
"C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe"
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe
"C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe"
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe
SRUtilitySOS.exe -r
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Temp\bd2_request_43b3c272f5b5d66.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | st-lookup-v1-sos-srs-win-3701-g3.api.splashtop.com | udp |
| US | 13.248.165.227:443 | st-lookup-v1-sos-srs-win-3701-g3.api.splashtop.com | tcp |
| US | 8.8.8.8:53 | st-v3-sos-srs-win-3701-g3.api.splashtop.eu | udp |
| DE | 3.67.250.175:443 | st-v3-sos-srs-win-3701-g3.api.splashtop.eu | tcp |
| DE | 3.67.250.175:443 | st-v3-sos-srs-win-3701-g3.api.splashtop.eu | tcp |
| DE | 3.67.250.175:443 | st-v3-sos-srs-win-3701-g3.api.splashtop.eu | tcp |
| US | 8.8.8.8:53 | 227.165.248.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.250.67.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | st-relay-v3-sos-srs-win-3701-g3.api.splashtop.eu | udp |
| DE | 52.58.37.15:443 | st-relay-v3-sos-srs-win-3701-g3.api.splashtop.eu | tcp |
| DE | 3.67.250.175:443 | st-v3-sos-srs-win-3701-g3.api.splashtop.eu | tcp |
| US | 8.8.8.8:53 | 35-242-149-236.relay.splashtop.com | udp |
| GB | 35.242.149.236:443 | 35-242-149-236.relay.splashtop.com | tcp |
| DE | 3.67.250.175:443 | st-v3-sos-srs-win-3701-g3.api.splashtop.eu | tcp |
| US | 8.8.8.8:53 | 15.37.58.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 236.149.242.35.in-addr.arpa | udp |
| DE | 3.67.250.175:443 | st-v3-sos-srs-win-3701-g3.api.splashtop.eu | tcp |
| US | 8.8.8.8:53 | 52-215-205-78.relay.splashtop.com | udp |
| US | 8.8.8.8:53 | 140-238-93-208.relay.splashtop.com | udp |
| US | 8.8.8.8:53 | 134-65-58-97.relay.splashtop.com | udp |
| US | 8.8.8.8:53 | 35-246-54-78.relay.splashtop.com | udp |
| US | 8.8.8.8:53 | 13-40-85-67.relay.splashtop.com | udp |
| IE | 52.215.205.78:443 | 52-215-205-78.relay.splashtop.com | tcp |
| GB | 140.238.93.208:443 | 140-238-93-208.relay.splashtop.com | tcp |
| GB | 134.65.58.97:443 | 134-65-58-97.relay.splashtop.com | tcp |
| GB | 35.246.54.78:443 | 35-246-54-78.relay.splashtop.com | tcp |
| GB | 13.40.85.67:443 | 13-40-85-67.relay.splashtop.com | tcp |
| US | 8.8.8.8:53 | 208.93.238.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.58.65.134.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.54.246.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.85.40.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.205.215.52.in-addr.arpa | udp |
| GB | 134.65.58.97:443 | 134-65-58-97.relay.splashtop.com | tcp |
| IE | 52.215.205.78:443 | 52-215-205-78.relay.splashtop.com | tcp |
| GB | 140.238.93.208:443 | 140-238-93-208.relay.splashtop.com | tcp |
| GB | 13.40.85.67:443 | 13-40-85-67.relay.splashtop.com | tcp |
| GB | 35.246.54.78:443 | 35-246-54-78.relay.splashtop.com | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| GB | 134.65.58.97:443 | 134-65-58-97.relay.splashtop.com | tcp |
| IE | 52.215.205.78:443 | 52-215-205-78.relay.splashtop.com | tcp |
| GB | 35.246.54.78:443 | 35-246-54-78.relay.splashtop.com | tcp |
| GB | 140.238.93.208:443 | 140-238-93-208.relay.splashtop.com | tcp |
| GB | 13.40.85.67:443 | 13-40-85-67.relay.splashtop.com | tcp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\unpack1.log
| MD5 | c64addf3cffec7aea5a02a192c74bfb5 |
| SHA1 | f601f64d9d323de64394e30aed26223c836a6a15 |
| SHA256 | 8d0e9f04ca0dcbc18bfac6874f0c6c6a250782956d144118d23721dc2304c67e |
| SHA512 | b1799a0f6b7e420fdcef916efd2c1ac2a9e3aef95342d1b62256205623cd6f2fa46ccec2aa14dc35e056786be584a56688290db62cc097f61b1463f3dc2222bd |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\streamer1.cab
| MD5 | 694108221033253d3fe1ec0d42708b35 |
| SHA1 | 875f186db147a342e2326489fef105737f726046 |
| SHA256 | 50f163445bd8465bfda6075a25b4204dab3b04025b351f98aff3d1354f889c62 |
| SHA512 | 20046e6e3bbb9ec39dc1e9aed6fee483119b6154881ef6c9d33b8132548e3d6e2d4a870547d3159688902d654f3c594de170aaefdafb723edc28989358ca8a47 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRClient.pem
| MD5 | a8b2b3d6c831f120ce624cff48156558 |
| SHA1 | 202db3bd86f48c2a8779d079716b8cc5363edece |
| SHA256 | 33fe8889070b91c3c2e234db8494fcc174ecc69cfff3d0bc4f6a59b39c500484 |
| SHA512 | 3b1fc8910b462ea2e3080418428795ca63075163e1e42a7136fa688aa2e130f5d3088ab27d18395c8c0a4d76bdc5ed95356255b8c29d49116e4743d269c97bf9 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\ASOS.xml
| MD5 | 8ce869f7dbbb2e38c8de76716e49b8a5 |
| SHA1 | de73a6b80fca67b06a7e1fec1904095d61b7b864 |
| SHA256 | 1008bce6f93a3863164b0fea34bea07bd6ce304dffafac5615dc52bbb675bd47 |
| SHA512 | 98afa1fe513beb31bca44e56fe40f0a049d3bb0ccc7cf4997b8fb2631774131c7232072e733674a3ed6771201d53788e94d595e8254a5ffc4d6cc45ff93417af |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe
| MD5 | 11bab8f4bc4d4866478d292f86d87d90 |
| SHA1 | 2a64756a78c369bafae006bac8e4748d3fbeff9d |
| SHA256 | 543be8a168f0e74bc57cfbb4da66966ef195a40b642f9d09b4ddb19e57c18724 |
| SHA512 | fde665f35b2a3a7b7bf217f8930aadee7583ec7e94b03c59a6ea282f4009c4cc1508380071c95b3742bddd5c8f2589a776d75d3c6bc14a2dbf64e8bcee1e81ef |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
| MD5 | 6bbf902fcba6e17773232805831e9b73 |
| SHA1 | 09f23cb4861a07541eb0e57ddd67462ea3697d5c |
| SHA256 | ba7ee39b274953a47678cc1c5bf7d0c82f4fdba483a760ede46be9c27f91c4d7 |
| SHA512 | 5c86b9f22bc61c078b219c7463b0dd8ddc39e40dffa620b08b6eca2c2d28b18446c06074ae1260baa2cd0c07c4a08135590b7f722a24a360a8ffa712187d707e |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\dbghelp.dll
| MD5 | eeda10135ede6edb5c85df3bd878e557 |
| SHA1 | 8a1059dfd641269945e7a2710b684881bb63e8d2 |
| SHA256 | 4b890de3708716d81c1c719b498734339d417e8ffc4955d81483d1ebc0f84697 |
| SHA512 | a56bfc73537e36efba8e09ffd0b2f6bfc56bc4cb4fe90b52858c7afd5d67db23ccba51c8097befe4ecb5082ba66c2b2612e2975ef3448252c48b97f41d12d591 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libssl-3.dll
| MD5 | 99a6a9656da926af8aa648d50b47dcfb |
| SHA1 | 81db96003bd8f63250abc7e59fb35e0227d3f28a |
| SHA256 | fdf1f9d0af4ff8e5cbd4387d6849327e91f0eedd1befe58d7dd8b6ec40e90a98 |
| SHA512 | 16e850fdabf76a11ed4176e0fd57dafb64faf9551ea220d003c5a86aff8c39ab40d66f7ac7fcc6ef71cfa7e1d6268bbc23e32aa5cf69df58a5d05f666701f3c0 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe
| MD5 | 5d4047d09fa30aafc2ee265afcfdacc4 |
| SHA1 | 47caafb8d67d97b0347cca98e8763349485b5e77 |
| SHA256 | ac54dccb48af54e59a10dbc4b58963100968cf578c19863a0370b377386ec5d5 |
| SHA512 | 0d1d9048691d249e6ebaf6ae5fa6016022b79b7be6bdd9232613e3ba7e85fd5132e6c01fc8b07171d38a0122ac7d8c584ee5e35eddf0632cb3bfc22b05821737 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libcrypto-3.dll
| MD5 | 72d867e8c7a84374aa72bf7feca4334e |
| SHA1 | bbe4c42beb19a1f23bfbcfc5a67164d5ea29784e |
| SHA256 | 17d29b81faea714b5a93008711d92d1329b22244a2e9f56736064caa4fd3cd84 |
| SHA512 | b523df6ffe4a51180cdf2bda761b01a521391a6b24e081309c33c91835c19be96015b932d527822f5837802a979a3c48f5cc111892c47c082e8bcb8f2115ac3f |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.init_setting.ini
| MD5 | f2d5f8a01c7832e4f60c8a1579a5691f |
| SHA1 | 9a9afe6c424a888f798c3c879d64a9e30b6e981e |
| SHA256 | 4712961ec08d9130d2296172ff2da6186b480bedc9ebcb70800cf7153fe31690 |
| SHA512 | 92a6700668c4811f7e85a532c9dbceb905f87b0841915d6fd1171f5ede9d8390f036958e218dc04ac78d4443e323c1813cd730e0608a6a26cfa4ed8ac798b7a7 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRSocketCtrl.dll
| MD5 | 4c534eb38f42bc64f08c33182156d8a1 |
| SHA1 | eebd8f8c323e50945a273f1c197e91a9be17bbaf |
| SHA256 | 7fa2aa9e466e2f3b884d11984e3d68750cbcddb033f02f8aac4aeef1ee02faa1 |
| SHA512 | 97d5182bb70e21c5c6e2d43aa62fca5a171aed3d3ac97a623a6fc187590ce3595ddbbf8b82b969be86ea0fed22c5447819a0f72b1304aef1560bdfd5f0054e98 |
memory/3200-209-0x00000000726A0000-0x000000007279D000-memory.dmp
memory/3200-217-0x0000000072180000-0x0000000072544000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\stprinterx.cat
| MD5 | 1d56a3f8d7f5dab184a8cc4feddaa173 |
| SHA1 | 75d291cb96fdc05d54c962f1cb08796ee439b22f |
| SHA256 | 84e1a32b4975e92477cf6a36d8931921da735ef988e0c09a2b056f2904541b1e |
| SHA512 | fb58167a98d9309a703f06d5c6414ab707b37e90a26bfc1c0812b10381c116fa6c7c26ac30fc8570b8f87186775bc64e7af6d409a7d213fc3b4b76b0b7a76fb6 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.config.json
| MD5 | 9537e9d6415fe3cb654382e5533b5833 |
| SHA1 | 9523175453b9d5bbcf2aa282651e6011d14f98ad |
| SHA256 | 186e70ecc6fc69c48e5df8ea9dfc217562189d775aee1fdacba2067541fb34a6 |
| SHA512 | 0c6b41b2a3296af02a46460fa93d4b9a27588e2d39ed65bde287583da10d19a7664c434653f4a25bf9fe16c4bed82dffc8d265831c90d5923128a9cf229846e2 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.splashtop.sostheme
| MD5 | 71559662e8112dd44f31670600b5fb15 |
| SHA1 | b627f31641e1c7fb40d164f94b8e364f03648922 |
| SHA256 | 4e5e616946bdbdb5a4c26ff1a75f665f9d6e69c6421cb1e2933f32628ecbd09e |
| SHA512 | 9aacc46d8ee927b56cfd0c8f9b9328df1f163ead52e52bdbd3deae1ce994e8c77dc0a4fe9defc45cee93a25bb07193873b9e9580ee2adcca20a86b91c5b32574 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\stprinter.cat
| MD5 | 2dac6568b843ebdc5c98598ca32918be |
| SHA1 | e7740e4be7f71a82adbb6e5224d33534e237614c |
| SHA256 | eb61a0e06bf8c69597f9bb1909e3eb4f926e49800c3f9721fda3007993da5ee7 |
| SHA512 | 1bc8aa82e68911f5ee1835d19cf49a736c1c35c2f6b4fcd48c3c6fcf7ff6958400d1e815c5e891e172af9035232175bb00e8a21f5a0590f02dc683f45a6c3d8b |
memory/3200-211-0x0000000072550000-0x000000007266C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.cloudbuild.check.rsa
| MD5 | 6d69724c8b19608f6a0083148a38b927 |
| SHA1 | 7ebb8c53a041bfc8218f6b7f280d256faedccb8c |
| SHA256 | effe5a095601f94c953c0067b153865eca17385d5776ed6d5fa4e5410c3de925 |
| SHA512 | b3c12d61b3e31793e870aed0e1f7bb5e76bba752bda412b748e8941a8508995bbcd6fde3071d6be6789d1631eae38cace6bfa1bef069e296a0f45b7f4215a0fc |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.cloudbuild.check
| MD5 | f0f79dfa81a3e3c0730acf0be18e2865 |
| SHA1 | 2766a217ae26654c53f4293118751a57b0a42bcf |
| SHA256 | 73d7a697a3af00a80bba5fe9688576aa027b09d0983e719965bedc26d73ede3f |
| SHA512 | 6707cb4fc28d49d910afe342790a3513142036b104794a096646ab546fc3ee50db5e428a68336eca770e0d56f0c9ae36c1cc238be2c64644ae9a283a2260a5d5 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe
| MD5 | 393830c320fccbced08ed693bdec80f0 |
| SHA1 | 1fc1d88d4db881af32540926b1ac901af72d9ff7 |
| SHA256 | 6fd3f1370638043928215e1dfd6e29c0bbc250188001c2e356f708c147c11359 |
| SHA512 | 8cd4f8af20b6a35e60e6522971e1e2ed2a4cdbe26215051758e690291d077fcc8c3e2d407878280fe4858e69daad4088381f573a8058754bf3f0bb44f2e64389 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
| MD5 | bec6156158a67602b09cf0da73030c97 |
| SHA1 | 7d3b3f04b1b0687c2f57b4eef16025e5b510078a |
| SHA256 | 915ab66486ebc2d53e00fb67009e9075f5f38362ec9991dea0edd22e1f376b85 |
| SHA512 | 83a9db2a90bf15fbfaa11fa22ca360645b0dc75dfd6ec78cd8e92d1545b25661338d748b2bc135382e46ce14825e4c1e93ac08f5f9d7c357ff60fe1748f06a3d |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe
| MD5 | a490f9458c33bd398784f2a279191fe5 |
| SHA1 | 75608efd13ec19a2bd9adaf4a3c213fe8b56b58c |
| SHA256 | a4291f8933c7c7f86f41b6d8c55b38b32d423ca2de2fd849bfb34cfaa3a423c9 |
| SHA512 | 7fe5000e801e23d7f606b44e630069b3b1da3610b7f24710dfc45692d5c1f630cae0008ce7ec64f943725a33a290fd22621dec7ff0b22496a7a8a79f95777f3d |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\swresample-2.dll
| MD5 | 4a2f597c15ad595cfd83f8a34a0ab07a |
| SHA1 | 7f6481be6ddd959adde53251fa7e9283a01f0962 |
| SHA256 | 5e756f0f1164b7519d2269aa85e43b435b5c7b92e65ed84e6051e75502f31804 |
| SHA512 | 0e868ad546a6081de76b4a5cdcc7d457b2f0fb7239dc676c17c46a988a02696b12a9c3a85f627c76e6524f9a3ed25f2d9b8e8764d7e18fc708ead4475591946f |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\avutil-55.dll
| MD5 | a9a9d31764b50858a01b1fb228406f06 |
| SHA1 | 7a313c46f049287045992f54f9d6eda9db568ef8 |
| SHA256 | c0babd7670124bb298d3ba6a8ee5ae33ad1030c08a18d8b8861f5d83003eb645 |
| SHA512 | 164d5497aa91a5b4742a291f589400bc0b189af946615a2f04e6cfd1ed598a542f7521e4dd79aab99414846a3c391255309f911c247ef446a0483d9fab6efdfc |
C:\Users\Admin\AppData\Local\Temp\splashtop\sos\01_sysinfo.txt
| MD5 | bb3b81e1f94858ecaed8c3425f0024ce |
| SHA1 | 932e55fbd8188f6ba5ff51f6a9190136317cc74b |
| SHA256 | ad025a1f333ae2ba6d6fd9e7b656c55631d1b589db08aaf00ce577711e18befe |
| SHA512 | c62e55d72ef8b5fe7bec7c5caec56b0ee7131598bd747a232e66bee02315851fe2560597a8df58d2cc41aa709111b11a88fa592089cfb3561f586f2dbf13feb1 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\default.ico
| MD5 | c95fa1029e39dd12d24dddc07d24b694 |
| SHA1 | a813cc60c0d821219bd7301ab7557e7fc3328999 |
| SHA256 | 664042ed1d06746971e0f05c440a094d0e5ef7e6d54845b4501768a06e60e2a0 |
| SHA512 | 08343d820a66bc5b945090c6fb1ab3b70975ac6c2b2551c3c83925e51f56958f81b14f6f19cc8b6fed55eeb0316b47094da33378ba24adabbfd33e38098e01eb |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\db\SRAgent.sqlite3
| MD5 | 64f7dd1022edefb36991bae0ccd8d2c5 |
| SHA1 | 4f4a801372b0f90edd2e147a45cb1a328cce01b3 |
| SHA256 | 68cf4808ac92b3a857a1a6b9cd0137b4e44fa8ae19d81e111aa2d2e7174ac554 |
| SHA512 | 580ad3a55edbc3ce65b4c62e83c1bb78e7523f4ea2dcde952a7b5c8bd933cbbc662e396c7f38c37b9958df0eb19326defd9ed9f1183b8ac693aaf4e5b18b4178 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe
| MD5 | 4a3e37f3189e286732c097625f66cbeb |
| SHA1 | 07443d2e446696ea3d454fb511785c54f1b9d692 |
| SHA256 | 9d5ad887858f91b394267a193caefdd0b2247b510ce684028d5abde1c2ab0610 |
| SHA512 | 5fb1d9467688cea1024e45d2e9bf25b5bd2b272d7471077a849499ef4da5d03de720b64fc111c87b913e85a9c37882ec01e3af2fe71280d75a353f76ebad8160 |
C:\Windows\Temp\bd2_request_43b3c272f5b5d66.bat
| MD5 | 4a3fe2d6413f690dce1800b9b77a1c04 |
| SHA1 | 83c5daf2d94aa22685dc32c92f72d457eb4da952 |
| SHA256 | de5cb61f8cc7c99fb9aa4892e28254b8bbe02c9aaede4e0347f4acb0da07213c |
| SHA512 | ba94ec71edf27cf67b29e94c750e5e796c43c3655b58e224a71b7874c5237acf19a6f3a8492496475a6658e97ed219fdfba53af869443a0f502dc9c89bdbdd94 |
memory/3200-307-0x00000000726A0000-0x000000007279D000-memory.dmp
memory/3200-310-0x0000000072550000-0x000000007266C000-memory.dmp
memory/3200-313-0x0000000072180000-0x0000000072544000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\fips.dll
| MD5 | 68d8d459ee6a5027ffe35302b21d66fa |
| SHA1 | 91299e1ff75b293a18105fbdfcb2cde92a6c8507 |
| SHA256 | 0ef5739fcc3850411e1db6af2e194e25c7e473bb950a387a7c851fe02660b4e8 |
| SHA512 | c032e6c057da58374ff51b50b2146e4b27eb6a18a452668eb2c78e3f4e729399f303873a2dc40f5910826a4f23146dfb851b62df3d5948a9039ec6ed23e53b32 |
memory/3200-317-0x00000000712B0000-0x0000000071474000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\fips.cnf
| MD5 | e077993e994d28bbc7502681280c5551 |
| SHA1 | 9c3b360f9e81ccf8c8b56be25e4ce9d67d1f61b4 |
| SHA256 | b8d539255fb1ea42ee3b06f0e314b037e35701e2b258272889d866dd3419526b |
| SHA512 | b2fed3539bd94999f9f9a2cfebac6a3632212c10f3d97a5129e444fc548d1685877d0810790b71d342a4ef9080d1efc73bf7a9493b5ccbd93232231ee2251abe |
memory/3204-318-0x00000000726A0000-0x000000007279D000-memory.dmp
memory/3200-321-0x0000000072180000-0x0000000072544000-memory.dmp
memory/3204-323-0x0000000072550000-0x000000007266C000-memory.dmp
memory/3200-322-0x00000000712B0000-0x0000000071474000-memory.dmp
memory/3200-320-0x0000000072550000-0x000000007266C000-memory.dmp
memory/3200-319-0x00000000726A0000-0x000000007279D000-memory.dmp
memory/3204-330-0x0000000072180000-0x0000000072544000-memory.dmp
memory/3204-332-0x0000000072550000-0x000000007266C000-memory.dmp
memory/3204-333-0x0000000072180000-0x0000000072544000-memory.dmp
memory/3204-331-0x00000000726A0000-0x000000007279D000-memory.dmp
memory/3200-367-0x00000000726A0000-0x000000007279D000-memory.dmp