Malware Analysis Report

2025-08-06 01:20

Sample ID 241107-sb456atmdy
Target 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid
SHA256 1990c98db7683ac36db52a8abf09d2973cd699e2428f1a84d5a85dce8911c14f
Tags
discovery upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1990c98db7683ac36db52a8abf09d2973cd699e2428f1a84d5a85dce8911c14f

Threat Level: Shows suspicious behavior

The file 2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery upx

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Checks computer location settings

Drops file in System32 directory

Executes dropped EXE

Checks installed software on the system

Loads dropped DLL

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 14:58

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 14:58

Reported

2024-11-07 15:00

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\DPX\setupact.log C:\Windows\system32\expand.exe N/A
File opened for modification C:\Windows\Logs\DPX\setuperr.log C:\Windows\system32\expand.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1712 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe C:\Windows\system32\cmd.exe
PID 1712 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe C:\Windows\system32\cmd.exe
PID 1712 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe C:\Windows\system32\cmd.exe
PID 1712 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe C:\Windows\system32\cmd.exe
PID 2720 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\expand.exe
PID 2720 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\expand.exe
PID 2720 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\expand.exe
PID 1712 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe C:\Windows\system32\cmd.exe
PID 1712 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe C:\Windows\system32\cmd.exe
PID 1712 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe C:\Windows\system32\cmd.exe
PID 1712 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe C:\Windows\system32\cmd.exe
PID 2556 wrote to memory of 1820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2556 wrote to memory of 1820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2556 wrote to memory of 1820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1712 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe C:\Windows\system32\cmd.exe
PID 1712 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe C:\Windows\system32\cmd.exe
PID 1712 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe C:\Windows\system32\cmd.exe
PID 1712 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe C:\Windows\system32\cmd.exe
PID 532 wrote to memory of 2756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 532 wrote to memory of 2756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 532 wrote to memory of 2756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1712 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe C:\Windows\system32\cmd.exe
PID 1712 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe C:\Windows\system32\cmd.exe
PID 1712 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe C:\Windows\system32\cmd.exe
PID 1712 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe C:\Windows\system32\cmd.exe
PID 2020 wrote to memory of 348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2020 wrote to memory of 348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2020 wrote to memory of 348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1712 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe C:\Windows\system32\cmd.exe
PID 1712 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe C:\Windows\system32\cmd.exe
PID 1712 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe C:\Windows\system32\cmd.exe
PID 1712 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe C:\Windows\system32\cmd.exe
PID 548 wrote to memory of 2632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 548 wrote to memory of 2632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 548 wrote to memory of 2632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c C:\Windows\system32\expand.exe *.cab /f:* .\

C:\Windows\system32\expand.exe

C:\Windows\system32\expand.exe *.cab /f:* .\

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1

C:\Windows\system32\schtasks.exe

schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "

C:\Windows\system32\schtasks.exe

schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c schtasks /run /tn ASOS1

C:\Windows\system32\schtasks.exe

schtasks /run /tn ASOS1

C:\Windows\system32\taskeng.exe

taskeng.exe {D67658F6-E54A-475C-8456-8E307D2B756D} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c schtasks /delete /f /tn ASOS1

C:\Windows\system32\schtasks.exe

schtasks /delete /f /tn ASOS1

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\unpack1.log

MD5 b0bf3207ca138fd15533a725fd5bb807
SHA1 c01edf19632643acf224f5ebc3c9547fa71228a1
SHA256 90338c0ff5083a91f176c785e58b4e8a536cdaf273bdc2c1c5c479db652f1044
SHA512 39d6d314c2d74e594d2d007e56db23f652043973fb3b439a3082368caec5b0ad9314f25fd48a533cc0079c36827a2a2f477e0b88eb46ec82d2eb03599e88ce16

C:\Users\Admin\AppData\Local\Temp\unpack1.log

MD5 a6095d55c252fe50fe6e2238b615b408
SHA1 a2b5cd42434921fac9d8f6c5a9b9a15a221b1e32
SHA256 1fb07064aa7aaaa61babbe78eb05cf4bc446bee9e740a012b6459a48b9185808
SHA512 deb1e27929c7b866be7e20822a476cffec00da64c62e997693533aa626041976e4107ee3a3c6467db89ecf77a935e78c049eb7df8a9e2456d5a7b4d097493031

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\streamer1.cab

MD5 694108221033253d3fe1ec0d42708b35
SHA1 875f186db147a342e2326489fef105737f726046
SHA256 50f163445bd8465bfda6075a25b4204dab3b04025b351f98aff3d1354f889c62
SHA512 20046e6e3bbb9ec39dc1e9aed6fee483119b6154881ef6c9d33b8132548e3d6e2d4a870547d3159688902d654f3c594de170aaefdafb723edc28989358ca8a47

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRClient.pem

MD5 a8b2b3d6c831f120ce624cff48156558
SHA1 202db3bd86f48c2a8779d079716b8cc5363edece
SHA256 33fe8889070b91c3c2e234db8494fcc174ecc69cfff3d0bc4f6a59b39c500484
SHA512 3b1fc8910b462ea2e3080418428795ca63075163e1e42a7136fa688aa2e130f5d3088ab27d18395c8c0a4d76bdc5ed95356255b8c29d49116e4743d269c97bf9

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\ASOS.xml

MD5 8ce869f7dbbb2e38c8de76716e49b8a5
SHA1 de73a6b80fca67b06a7e1fec1904095d61b7b864
SHA256 1008bce6f93a3863164b0fea34bea07bd6ce304dffafac5615dc52bbb675bd47
SHA512 98afa1fe513beb31bca44e56fe40f0a049d3bb0ccc7cf4997b8fb2631774131c7232072e733674a3ed6771201d53788e94d595e8254a5ffc4d6cc45ff93417af

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe

MD5 5d4047d09fa30aafc2ee265afcfdacc4
SHA1 47caafb8d67d97b0347cca98e8763349485b5e77
SHA256 ac54dccb48af54e59a10dbc4b58963100968cf578c19863a0370b377386ec5d5
SHA512 0d1d9048691d249e6ebaf6ae5fa6016022b79b7be6bdd9232613e3ba7e85fd5132e6c01fc8b07171d38a0122ac7d8c584ee5e35eddf0632cb3bfc22b05821737

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\swresample-2.dll

MD5 4a2f597c15ad595cfd83f8a34a0ab07a
SHA1 7f6481be6ddd959adde53251fa7e9283a01f0962
SHA256 5e756f0f1164b7519d2269aa85e43b435b5c7b92e65ed84e6051e75502f31804
SHA512 0e868ad546a6081de76b4a5cdcc7d457b2f0fb7239dc676c17c46a988a02696b12a9c3a85f627c76e6524f9a3ed25f2d9b8e8764d7e18fc708ead4475591946f

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\stprintmon_x86.dll

MD5 ddbcbced9ccba27d296b680d04178b1d
SHA1 5be1ef49678e4f9250b675dfe595df1219dd7ef9
SHA256 b23b42e24eab4e2f1dd94711eec741f94d39f5ebaf238820a0b9d464522c24d2
SHA512 b913058a50a4235925f208e9fa8740dda1a070168285401fd9c9032c0cc782887f5d92a0d68796d7473e61ee8ddc1e863503c288cad1f99c233a0dede37cb314

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\stprintmon_x64.dll

MD5 7dd3ca728e061f9c438209935df41fd8
SHA1 d291c17619fb2e9b8a4cf07b53a56dc60cfb4c8e
SHA256 f19f300e4623e3b57f870d8e4b150f2e70d29e6cb47750671d53667bb0804202
SHA512 e7d0ab0eb37f6b245b1ebde46c2d9184ab801eb659e4f4ed7c2afd07843a1646612290ad3c315ee9bf7fc1a9425b58e2a03810014ddbb621eb46b331aa2e753e

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\stprinterx.cat

MD5 1d56a3f8d7f5dab184a8cc4feddaa173
SHA1 75d291cb96fdc05d54c962f1cb08796ee439b22f
SHA256 84e1a32b4975e92477cf6a36d8931921da735ef988e0c09a2b056f2904541b1e
SHA512 fb58167a98d9309a703f06d5c6414ab707b37e90a26bfc1c0812b10381c116fa6c7c26ac30fc8570b8f87186775bc64e7af6d409a7d213fc3b4b76b0b7a76fb6

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\stprinter.inf

MD5 313535621266212971e303af0af4fe21
SHA1 d81f9d3f7b638de5efca0ecb0162a76485e2c2bf
SHA256 0b60a283cb98034cee13118bf1f885a644479cc6f4b19d9e4d24a5fec6064a1f
SHA512 8a1a716a2cad85410f009ee0cdf570f4ca36e3a182927ca5b836f3fc0bee466f0c4e8b583694a6a4014ce60c45a2439119bf0c1adda0ed168053e9f08a6df608

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\stprinter.cat

MD5 2dac6568b843ebdc5c98598ca32918be
SHA1 e7740e4be7f71a82adbb6e5224d33534e237614c
SHA256 eb61a0e06bf8c69597f9bb1909e3eb4f926e49800c3f9721fda3007993da5ee7
SHA512 1bc8aa82e68911f5ee1835d19cf49a736c1c35c2f6b4fcd48c3c6fcf7ff6958400d1e815c5e891e172af9035232175bb00e8a21f5a0590f02dc683f45a6c3d8b

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRx264WrapperExx.dll

MD5 c0b530dcb39bffa1b2a64dcb9dce67cc
SHA1 fc80610e9876b750b5c71cdba679610320c3df49
SHA256 a4103499c3584f3d2274e8d81b1355312d7ccf2ca794c746915ada79c12f0d7d
SHA512 1326ad4b4ee3920e21449a0367e5912605aeaaf5c692a9042feebd2e4b789408de605a7154d2dcd8a038358a98457312403c7ad550b3cda64ed9d3e81e23459c

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRx264WrapperEx.dll

MD5 6b82a354476fa7c56175ee060f08e2c9
SHA1 d77566d72c6f1c796c2e8087a9bd04920455b138
SHA256 754c8d6c7c91b7620a7ee34665c28f0be67686591e5b49a7e9b8c33baef6c37e
SHA512 e5241dcf50b4d6003fcf1fe14f8693cde525cdf020e7cf7557b76ac954102722c7721bde48dae08a4524a12e611af950588adbeebc95158901bca6238ce2fa51

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRx264Wrapper.dll

MD5 861875d4cd48d76e650270655c6e0b93
SHA1 02007cb5e10bdd433ec0e754207ba04cb1c1d598
SHA256 41b65f25f5a5b9635d28d467c3e423cd533e239a641922326ae41f329a5b6be5
SHA512 1109e26fb73c677492b79f0c1c1f3adccf11962a848497046bde7ae35c20a5fc48f33f415d6d231e3867b279d80a0069347f1365bac1ac5658f3e3a1ed8e6020

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRVideoCtrlEx.dll

MD5 7a90ec5109e67e431caf2fd55d41f82f
SHA1 412f6a3e795502cd39f76fd51b138e06a081f146
SHA256 2fa77b33ccce1b5412a9866acb63b050f6f94485ef8aec378bc82d02929a1001
SHA512 acdbe23b0fa784ea5433a223aea32cf1c86436f7c9f4e715a10b6a891b4d6b8ceaa943c26444b5813afdb6c9c4de6f43b81a632d74920373c0d802613dfd2ed0

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRVideoCtrl.dll

MD5 562d29b934bfb893af36f03cba478ae3
SHA1 5aa2d1a95ee82dadb2ee604e503ceaf3fbfddd6f
SHA256 adeddb37d54e44f84be0f3824a5c2e98edf831d6e16836c4cdf34fc47da4bbf3
SHA512 0e85a3bc34d44815442daaecf910ae02216b28891d785c2c85072fb2824e0ac4056a658c76522c4659f5275f975f291c8bc9217856f52ef1db6778069fcf8a20

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe

MD5 4a3e37f3189e286732c097625f66cbeb
SHA1 07443d2e446696ea3d454fb511785c54f1b9d692
SHA256 9d5ad887858f91b394267a193caefdd0b2247b510ce684028d5abde1c2ab0610
SHA512 5fb1d9467688cea1024e45d2e9bf25b5bd2b272d7471077a849499ef4da5d03de720b64fc111c87b913e85a9c37882ec01e3af2fe71280d75a353f76ebad8160

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRSocketCtrl.dll

MD5 4c534eb38f42bc64f08c33182156d8a1
SHA1 eebd8f8c323e50945a273f1c197e91a9be17bbaf
SHA256 7fa2aa9e466e2f3b884d11984e3d68750cbcddb033f02f8aac4aeef1ee02faa1
SHA512 97d5182bb70e21c5c6e2d43aa62fca5a171aed3d3ac97a623a6fc187590ce3595ddbbf8b82b969be86ea0fed22c5447819a0f72b1304aef1560bdfd5f0054e98

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServiceSOS.exe

MD5 7851479c0f15c3a96d02046c6b5ebbd6
SHA1 692fa8dbbe27e42947d58abfeed458e64beaf255
SHA256 cd6f128476a732ee309e839aa056ee32fd7f98cdbeddf3e93a5abc552fa3d05f
SHA512 3065f9c2c83928a9173ac39e88dfc51503a08a62df4596a0369f47b03b9285482ac88c43bc09be1dee740d5ac76741861647e998c52414b02871bb998d7ebb61

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe

MD5 393830c320fccbced08ed693bdec80f0
SHA1 1fc1d88d4db881af32540926b1ac901af72d9ff7
SHA256 6fd3f1370638043928215e1dfd6e29c0bbc250188001c2e356f708c147c11359
SHA512 8cd4f8af20b6a35e60e6522971e1e2ed2a4cdbe26215051758e690291d077fcc8c3e2d407878280fe4858e69daad4088381f573a8058754bf3f0bb44f2e64389

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SROpus.dll

MD5 7c3b0175c350e6aea7c5f4f331fb7457
SHA1 46fe50380b66c64a98b08017dc0d8566d9b22847
SHA256 a83cdfc6addac319e9cf2f950958db790ca430f96d900b5205828ebe9b2829a8
SHA512 4b3972eb174ae834b39f34d51d19aca9eace14cacc54d0314dfbde8b38c2a0514e81b5861bee9cf8465313f6b98db31b0c2d314b052cc8f5cdf58c7af7e61aac

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe

MD5 6bbf902fcba6e17773232805831e9b73
SHA1 09f23cb4861a07541eb0e57ddd67462ea3697d5c
SHA256 ba7ee39b274953a47678cc1c5bf7d0c82f4fdba483a760ede46be9c27f91c4d7
SHA512 5c86b9f22bc61c078b219c7463b0dd8ddc39e40dffa620b08b6eca2c2d28b18446c06074ae1260baa2cd0c07c4a08135590b7f722a24a360a8ffa712187d707e

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOSNoUIA.exe

MD5 aa8be7cdb4d5eda4e2a986f695c0941b
SHA1 85cbcebf8c75e0b9172419d188e18100955cf5f0
SHA256 0ba061d85c9e38f14ac2350c58934d3ea674c853dcbd85643f01a15bcabcc6a1
SHA512 9af66cd21c31608412a15cd090f0d9361097df5b98ccbd0179bfa88bb0002bc5565c110d8f320e2efdb6a85681774c94da3143d30cc7fc863e1a126c45d7e43d

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRChatSOS.exe

MD5 e5c1742057210dab9bd690de1ed762d3
SHA1 6c4e3597289653855e2e948faeaf861550e77655
SHA256 0c80b9ca4c2dcaae8cd90e7b385c0215143ab3a2c85558529d652d2e87eb4a3a
SHA512 6fc5c61da8a5162fce609970df89e451f99d227e27778e14ec85b3440b448c3da5507fe097ead5c6d796080546836953bfb7035c989d2089cdb63089d26ce886

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAudioResample.dll

MD5 a84334edd4524897aea6a3e48aee1370
SHA1 8505d4b14647d44cbb2f6e7b9f03b2b96840a920
SHA256 40eefba6b13c35261cba798dfb07f87a1f314879c3b381dc19bd2f187c42f2b1
SHA512 7c46a7b483bf0f3889cd4dc882e3739769dca2476f8970bee73c6ff823716cbd814d8aae51ce9db31d4eec559d8c1bfeb6188b6cdaacf3e47d497a643390c6be

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAudioChatSOS.exe

MD5 27db41a9cedfa6fec4ee711ec63b718e
SHA1 da677689c8b491d700ff5c646d4a134df49012ff
SHA256 35b3e7cf77f7f089710946cc97d5fba9e57b3a29443f1dde35609431af4d9933
SHA512 9bfdc3bfe37d914c422e865391110b2fac3ed110311b50af107d284821483b47c4e58d5e1a268d9639e82c1d082a03ba74ee71d846492bcbf611ec3b99af3a59

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppSOS.exe

MD5 12faa60ab94ab21be3a4d377ccdf888e
SHA1 9edaf35984380afc625f90185c93d17429b77462
SHA256 00c05255babdbf2c01c61ba61f499fecf3686da3ea3e17946f60d72575e7efd9
SHA512 90b5d0f4efc73a668d79e2b456066cff78bf4d5f5f302ae93aad42ed7bd72fad22a9fc260443d98643d923b241faec38adff696b556fbc6968701d60dcc50ba3

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe

MD5 a490f9458c33bd398784f2a279191fe5
SHA1 75608efd13ec19a2bd9adaf4a3c213fe8b56b58c
SHA256 a4291f8933c7c7f86f41b6d8c55b38b32d423ca2de2fd849bfb34cfaa3a423c9
SHA512 7fe5000e801e23d7f606b44e630069b3b1da3610b7f24710dfc45692d5c1f630cae0008ce7ec64f943725a33a290fd22621dec7ff0b22496a7a8a79f95777f3d

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe

MD5 bec6156158a67602b09cf0da73030c97
SHA1 7d3b3f04b1b0687c2f57b4eef16025e5b510078a
SHA256 915ab66486ebc2d53e00fb67009e9075f5f38362ec9991dea0edd22e1f376b85
SHA512 83a9db2a90bf15fbfaa11fa22ca360645b0dc75dfd6ec78cd8e92d1545b25661338d748b2bc135382e46ce14825e4c1e93ac08f5f9d7c357ff60fe1748f06a3d

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\reboot.bat

MD5 abe8e3568b6d951e7dd395da46531932
SHA1 304d81c1b48e16533ef691a9c965818136b9583c
SHA256 eb700422c31c15757a6c70141274a184d291aac3bde191a964f75a90bc084143
SHA512 19a79d90883103302bddbac8a765c6a5196fb78c223d911633285b4ba44ebffa9c64690102498e3bef5991dba0f28847473a44d4f9aa7d637a4c4d3f1efea12e

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\p_unmount.bat

MD5 fa3c191799254e542687f1f5d0974bc5
SHA1 dc85aac2aa31cd3de9017e7e099581457ad4fbf2
SHA256 347b12e6e2fc79e2a3668625341d7642d531159ffe5b01ab2bc5469e0efc6b3f
SHA512 635689814e63084910541ba68fe8ade8fdfbc3d0100afd61ddd13d07e61f3478ba75e4d24aa7b26df21a3e46c4ed2b1c8789520c5634cac63cfe32dcb1e8686e

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\p_mount.bat

MD5 88e59700f53de95d2847b9687764be30
SHA1 cd5780dbf1c711b9c28dc001f4149ba3251becf7
SHA256 b085f4e0d6a7a4dc967c96d7c318cb749bc497135fd9e35d7ad0c88e6c53f577
SHA512 6e7d2fd4cf87b63bab39e225362ecbe60f52fab0da42c97834b8ea59d653cdbd06b98e2c490c5465b1999af2f7869f729cbfc34e55d5ecc768d85d48b9874374

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libx264-116.dll

MD5 86e88f1fb340a5277c93ea1ce13bbc3a
SHA1 89ac87a63b5f8ff5510a555f5fb9f033be6ca684
SHA256 36835ddabb167330b4714b106b7c26e8dac6a9acf7c48a9967049b0faa6bc709
SHA512 2131686ffae474ad8a98a20b18ddd5a9e19c86b76fe2f3b4a2e648f3990f43ea4855ad72f2b33c9d89174e23a4fbae1f9d92eda0672a32d1ff90e7f3a79ab996

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libssl-3.dll

MD5 99a6a9656da926af8aa648d50b47dcfb
SHA1 81db96003bd8f63250abc7e59fb35e0227d3f28a
SHA256 fdf1f9d0af4ff8e5cbd4387d6849327e91f0eedd1befe58d7dd8b6ec40e90a98
SHA512 16e850fdabf76a11ed4176e0fd57dafb64faf9551ea220d003c5a86aff8c39ab40d66f7ac7fcc6ef71cfa7e1d6268bbc23e32aa5cf69df58a5d05f666701f3c0

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libcurl.dll

MD5 278d7f9c9a7526f35e1774cca0059c36
SHA1 423f1ebd3cbd52046a16538d6baa17076610cb2f
SHA256 12177dae5e123526e96023a48752ae0cb47e9f6eeafc20960f5a95ca6052d1b8
SHA512 75f8c4856fb04b2d5e491f32584f0aaefa0d42356e12320cbcb67df48e59c7f644512c2c5146fd7791c2ccb770fd709a8d8e4c72eafb74c39e1336accb49a044

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libcrypto-3.dll

MD5 72d867e8c7a84374aa72bf7feca4334e
SHA1 bbe4c42beb19a1f23bfbcfc5a67164d5ea29784e
SHA256 17d29b81faea714b5a93008711d92d1329b22244a2e9f56736064caa4fd3cd84
SHA512 b523df6ffe4a51180cdf2bda761b01a521391a6b24e081309c33c91835c19be96015b932d527822f5837802a979a3c48f5cc111892c47c082e8bcb8f2115ac3f

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libcelt-0.dll

MD5 d858121c47064f3dd7dda829d1e01620
SHA1 5f46afad5eef3ca6e06d6d9dd660ba21a1cad711
SHA256 c4324843f73b573d9d569012e37d17a34e17d0dba55cb77993531a42667994b5
SHA512 c807d41739fa6519f0c3662c47bdd58860f87068177a9024c0e6c98fe9a27e2c73a57f81909afd9a7756f3d54c88ac8007ee37e9b3fa5f0a04e3f8a9bec74d20

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\legacy.dll

MD5 cf52dbefbe8bc2dcd493cdbf050048e1
SHA1 aed132b049c77fd77645d07b443e1b4e96cb5e51
SHA256 8080e398edc43e652c0a104f62ad3c865e9bdc75c2e3936870deaf43fedbc3a4
SHA512 75133444a893002b9933eb3a44b66cd862fedc9c05579b188eb250bbc3cc00c61533fb3aa58a1d9b89b45f83cff8a3b02cb0fb605b299e0e7bace13b99020207

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\legacy.cnf

MD5 a43b7d72b482d48804b377d8832c2693
SHA1 b1598efda8e9863f520abef9aaa942c313c002fd
SHA256 9acde3809e2c02fe5d6c59153aefffe6628996ec5cfb7c2385865dcd1ec8be7e
SHA512 f0777a8f79e70f8a12f531c3e77f5241e9ed46acc6a1cbf06ff7a29d91ee281e4cd2a9c1832642992fe74d33b052670f85439e5925fdb7c44de60014e53712da

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe

MD5 11bab8f4bc4d4866478d292f86d87d90
SHA1 2a64756a78c369bafae006bac8e4748d3fbeff9d
SHA256 543be8a168f0e74bc57cfbb4da66966ef195a40b642f9d09b4ddb19e57c18724
SHA512 fde665f35b2a3a7b7bf217f8930aadee7583ec7e94b03c59a6ea282f4009c4cc1508380071c95b3742bddd5c8f2589a776d75d3c6bc14a2dbf64e8bcee1e81ef

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\fips.dll

MD5 68d8d459ee6a5027ffe35302b21d66fa
SHA1 91299e1ff75b293a18105fbdfcb2cde92a6c8507
SHA256 0ef5739fcc3850411e1db6af2e194e25c7e473bb950a387a7c851fe02660b4e8
SHA512 c032e6c057da58374ff51b50b2146e4b27eb6a18a452668eb2c78e3f4e729399f303873a2dc40f5910826a4f23146dfb851b62df3d5948a9039ec6ed23e53b32

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\fips.cnf

MD5 e077993e994d28bbc7502681280c5551
SHA1 9c3b360f9e81ccf8c8b56be25e4ce9d67d1f61b4
SHA256 b8d539255fb1ea42ee3b06f0e314b037e35701e2b258272889d866dd3419526b
SHA512 b2fed3539bd94999f9f9a2cfebac6a3632212c10f3d97a5129e444fc548d1685877d0810790b71d342a4ef9080d1efc73bf7a9493b5ccbd93232231ee2251abe

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\dbghelp.dll

MD5 eeda10135ede6edb5c85df3bd878e557
SHA1 8a1059dfd641269945e7a2710b684881bb63e8d2
SHA256 4b890de3708716d81c1c719b498734339d417e8ffc4955d81483d1ebc0f84697
SHA512 a56bfc73537e36efba8e09ffd0b2f6bfc56bc4cb4fe90b52858c7afd5d67db23ccba51c8097befe4ecb5082ba66c2b2612e2975ef3448252c48b97f41d12d591

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\avutil-55.dll

MD5 a9a9d31764b50858a01b1fb228406f06
SHA1 7a313c46f049287045992f54f9d6eda9db568ef8
SHA256 c0babd7670124bb298d3ba6a8ee5ae33ad1030c08a18d8b8861f5d83003eb645
SHA512 164d5497aa91a5b4742a291f589400bc0b189af946615a2f04e6cfd1ed598a542f7521e4dd79aab99414846a3c391255309f911c247ef446a0483d9fab6efdfc

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Acknowledgements.htm

MD5 ab3d7c0401590bbdaf4b3c84592d24d6
SHA1 756f86b49ca2035638f77bbeb60cfe6a827b553e
SHA256 4428a8b3f1a63312918ff5f8e1d5ee1f6eeba9d73a336721338d494d2b6e5f6c
SHA512 24aac8d02347ef3e226531ca15b71714cb53546c7aa1b4d961a72e097c3528ae2590b00ecbaa7e80815e99fafb6919d234e957dfcd08467cd753b24c004b6124

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 14:58

Reported

2024-11-07 15:00

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\LOGS\DPX\setupact.log C:\Windows\system32\expand.exe N/A
File opened for modification C:\Windows\LOGS\DPX\setuperr.log C:\Windows\system32\expand.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1600 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe C:\Windows\system32\cmd.exe
PID 1600 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 2252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\expand.exe
PID 1992 wrote to memory of 2252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\expand.exe
PID 1600 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe C:\Windows\system32\cmd.exe
PID 1600 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe C:\Windows\system32\cmd.exe
PID 4444 wrote to memory of 2452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4444 wrote to memory of 2452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1600 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe C:\Windows\system32\cmd.exe
PID 1600 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe C:\Windows\system32\cmd.exe
PID 744 wrote to memory of 1116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 744 wrote to memory of 1116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1600 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe C:\Windows\system32\cmd.exe
PID 1600 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe C:\Windows\system32\cmd.exe
PID 1508 wrote to memory of 1776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1508 wrote to memory of 1776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1600 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe C:\Windows\system32\cmd.exe
PID 1600 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe C:\Windows\system32\cmd.exe
PID 804 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
PID 804 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
PID 804 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
PID 3636 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3636 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3200 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe
PID 3200 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe
PID 3200 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe
PID 3200 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
PID 3200 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
PID 3200 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
PID 3200 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe
PID 3200 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe
PID 3200 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe
PID 3200 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe
PID 3200 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe
PID 3200 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe
PID 4620 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe
PID 4620 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe
PID 4620 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe
PID 3204 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe C:\Windows\SysWOW64\cmd.exe
PID 3204 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe C:\Windows\SysWOW64\cmd.exe
PID 3204 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-07_c419a52486f6aa8865475f957f08dfdf_icedid.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c C:\Windows\system32\expand.exe *.cab /f:* .\

C:\Windows\system32\expand.exe

C:\Windows\system32\expand.exe *.cab /f:* .\

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1

C:\Windows\system32\schtasks.exe

schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "

C:\Windows\system32\schtasks.exe

schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c schtasks /run /tn ASOS1

C:\Windows\system32\schtasks.exe

schtasks /run /tn ASOS1

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe SRManagerSOS.exe 1

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c schtasks /delete /f /tn ASOS1

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe

"SRManagerSOS.exe"

C:\Windows\system32\schtasks.exe

schtasks /delete /f /tn ASOS1

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe

SRServerSOS.exe -s

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe

"C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe"

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe

"C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe"

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe

"C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe"

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe

SRUtilitySOS.exe -r

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\Temp\bd2_request_43b3c272f5b5d66.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 st-lookup-v1-sos-srs-win-3701-g3.api.splashtop.com udp
US 13.248.165.227:443 st-lookup-v1-sos-srs-win-3701-g3.api.splashtop.com tcp
US 8.8.8.8:53 st-v3-sos-srs-win-3701-g3.api.splashtop.eu udp
DE 3.67.250.175:443 st-v3-sos-srs-win-3701-g3.api.splashtop.eu tcp
DE 3.67.250.175:443 st-v3-sos-srs-win-3701-g3.api.splashtop.eu tcp
DE 3.67.250.175:443 st-v3-sos-srs-win-3701-g3.api.splashtop.eu tcp
US 8.8.8.8:53 227.165.248.13.in-addr.arpa udp
US 8.8.8.8:53 175.250.67.3.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 st-relay-v3-sos-srs-win-3701-g3.api.splashtop.eu udp
DE 52.58.37.15:443 st-relay-v3-sos-srs-win-3701-g3.api.splashtop.eu tcp
DE 3.67.250.175:443 st-v3-sos-srs-win-3701-g3.api.splashtop.eu tcp
US 8.8.8.8:53 35-242-149-236.relay.splashtop.com udp
GB 35.242.149.236:443 35-242-149-236.relay.splashtop.com tcp
DE 3.67.250.175:443 st-v3-sos-srs-win-3701-g3.api.splashtop.eu tcp
US 8.8.8.8:53 15.37.58.52.in-addr.arpa udp
US 8.8.8.8:53 236.149.242.35.in-addr.arpa udp
DE 3.67.250.175:443 st-v3-sos-srs-win-3701-g3.api.splashtop.eu tcp
US 8.8.8.8:53 52-215-205-78.relay.splashtop.com udp
US 8.8.8.8:53 140-238-93-208.relay.splashtop.com udp
US 8.8.8.8:53 134-65-58-97.relay.splashtop.com udp
US 8.8.8.8:53 35-246-54-78.relay.splashtop.com udp
US 8.8.8.8:53 13-40-85-67.relay.splashtop.com udp
IE 52.215.205.78:443 52-215-205-78.relay.splashtop.com tcp
GB 140.238.93.208:443 140-238-93-208.relay.splashtop.com tcp
GB 134.65.58.97:443 134-65-58-97.relay.splashtop.com tcp
GB 35.246.54.78:443 35-246-54-78.relay.splashtop.com tcp
GB 13.40.85.67:443 13-40-85-67.relay.splashtop.com tcp
US 8.8.8.8:53 208.93.238.140.in-addr.arpa udp
US 8.8.8.8:53 97.58.65.134.in-addr.arpa udp
US 8.8.8.8:53 78.54.246.35.in-addr.arpa udp
US 8.8.8.8:53 67.85.40.13.in-addr.arpa udp
US 8.8.8.8:53 78.205.215.52.in-addr.arpa udp
GB 134.65.58.97:443 134-65-58-97.relay.splashtop.com tcp
IE 52.215.205.78:443 52-215-205-78.relay.splashtop.com tcp
GB 140.238.93.208:443 140-238-93-208.relay.splashtop.com tcp
GB 13.40.85.67:443 13-40-85-67.relay.splashtop.com tcp
GB 35.246.54.78:443 35-246-54-78.relay.splashtop.com tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
GB 134.65.58.97:443 134-65-58-97.relay.splashtop.com tcp
IE 52.215.205.78:443 52-215-205-78.relay.splashtop.com tcp
GB 35.246.54.78:443 35-246-54-78.relay.splashtop.com tcp
GB 140.238.93.208:443 140-238-93-208.relay.splashtop.com tcp
GB 13.40.85.67:443 13-40-85-67.relay.splashtop.com tcp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\unpack1.log

MD5 c64addf3cffec7aea5a02a192c74bfb5
SHA1 f601f64d9d323de64394e30aed26223c836a6a15
SHA256 8d0e9f04ca0dcbc18bfac6874f0c6c6a250782956d144118d23721dc2304c67e
SHA512 b1799a0f6b7e420fdcef916efd2c1ac2a9e3aef95342d1b62256205623cd6f2fa46ccec2aa14dc35e056786be584a56688290db62cc097f61b1463f3dc2222bd

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\streamer1.cab

MD5 694108221033253d3fe1ec0d42708b35
SHA1 875f186db147a342e2326489fef105737f726046
SHA256 50f163445bd8465bfda6075a25b4204dab3b04025b351f98aff3d1354f889c62
SHA512 20046e6e3bbb9ec39dc1e9aed6fee483119b6154881ef6c9d33b8132548e3d6e2d4a870547d3159688902d654f3c594de170aaefdafb723edc28989358ca8a47

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRClient.pem

MD5 a8b2b3d6c831f120ce624cff48156558
SHA1 202db3bd86f48c2a8779d079716b8cc5363edece
SHA256 33fe8889070b91c3c2e234db8494fcc174ecc69cfff3d0bc4f6a59b39c500484
SHA512 3b1fc8910b462ea2e3080418428795ca63075163e1e42a7136fa688aa2e130f5d3088ab27d18395c8c0a4d76bdc5ed95356255b8c29d49116e4743d269c97bf9

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\ASOS.xml

MD5 8ce869f7dbbb2e38c8de76716e49b8a5
SHA1 de73a6b80fca67b06a7e1fec1904095d61b7b864
SHA256 1008bce6f93a3863164b0fea34bea07bd6ce304dffafac5615dc52bbb675bd47
SHA512 98afa1fe513beb31bca44e56fe40f0a049d3bb0ccc7cf4997b8fb2631774131c7232072e733674a3ed6771201d53788e94d595e8254a5ffc4d6cc45ff93417af

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe

MD5 11bab8f4bc4d4866478d292f86d87d90
SHA1 2a64756a78c369bafae006bac8e4748d3fbeff9d
SHA256 543be8a168f0e74bc57cfbb4da66966ef195a40b642f9d09b4ddb19e57c18724
SHA512 fde665f35b2a3a7b7bf217f8930aadee7583ec7e94b03c59a6ea282f4009c4cc1508380071c95b3742bddd5c8f2589a776d75d3c6bc14a2dbf64e8bcee1e81ef

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe

MD5 6bbf902fcba6e17773232805831e9b73
SHA1 09f23cb4861a07541eb0e57ddd67462ea3697d5c
SHA256 ba7ee39b274953a47678cc1c5bf7d0c82f4fdba483a760ede46be9c27f91c4d7
SHA512 5c86b9f22bc61c078b219c7463b0dd8ddc39e40dffa620b08b6eca2c2d28b18446c06074ae1260baa2cd0c07c4a08135590b7f722a24a360a8ffa712187d707e

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\dbghelp.dll

MD5 eeda10135ede6edb5c85df3bd878e557
SHA1 8a1059dfd641269945e7a2710b684881bb63e8d2
SHA256 4b890de3708716d81c1c719b498734339d417e8ffc4955d81483d1ebc0f84697
SHA512 a56bfc73537e36efba8e09ffd0b2f6bfc56bc4cb4fe90b52858c7afd5d67db23ccba51c8097befe4ecb5082ba66c2b2612e2975ef3448252c48b97f41d12d591

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libssl-3.dll

MD5 99a6a9656da926af8aa648d50b47dcfb
SHA1 81db96003bd8f63250abc7e59fb35e0227d3f28a
SHA256 fdf1f9d0af4ff8e5cbd4387d6849327e91f0eedd1befe58d7dd8b6ec40e90a98
SHA512 16e850fdabf76a11ed4176e0fd57dafb64faf9551ea220d003c5a86aff8c39ab40d66f7ac7fcc6ef71cfa7e1d6268bbc23e32aa5cf69df58a5d05f666701f3c0

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe

MD5 5d4047d09fa30aafc2ee265afcfdacc4
SHA1 47caafb8d67d97b0347cca98e8763349485b5e77
SHA256 ac54dccb48af54e59a10dbc4b58963100968cf578c19863a0370b377386ec5d5
SHA512 0d1d9048691d249e6ebaf6ae5fa6016022b79b7be6bdd9232613e3ba7e85fd5132e6c01fc8b07171d38a0122ac7d8c584ee5e35eddf0632cb3bfc22b05821737

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libcrypto-3.dll

MD5 72d867e8c7a84374aa72bf7feca4334e
SHA1 bbe4c42beb19a1f23bfbcfc5a67164d5ea29784e
SHA256 17d29b81faea714b5a93008711d92d1329b22244a2e9f56736064caa4fd3cd84
SHA512 b523df6ffe4a51180cdf2bda761b01a521391a6b24e081309c33c91835c19be96015b932d527822f5837802a979a3c48f5cc111892c47c082e8bcb8f2115ac3f

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.init_setting.ini

MD5 f2d5f8a01c7832e4f60c8a1579a5691f
SHA1 9a9afe6c424a888f798c3c879d64a9e30b6e981e
SHA256 4712961ec08d9130d2296172ff2da6186b480bedc9ebcb70800cf7153fe31690
SHA512 92a6700668c4811f7e85a532c9dbceb905f87b0841915d6fd1171f5ede9d8390f036958e218dc04ac78d4443e323c1813cd730e0608a6a26cfa4ed8ac798b7a7

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRSocketCtrl.dll

MD5 4c534eb38f42bc64f08c33182156d8a1
SHA1 eebd8f8c323e50945a273f1c197e91a9be17bbaf
SHA256 7fa2aa9e466e2f3b884d11984e3d68750cbcddb033f02f8aac4aeef1ee02faa1
SHA512 97d5182bb70e21c5c6e2d43aa62fca5a171aed3d3ac97a623a6fc187590ce3595ddbbf8b82b969be86ea0fed22c5447819a0f72b1304aef1560bdfd5f0054e98

memory/3200-209-0x00000000726A0000-0x000000007279D000-memory.dmp

memory/3200-217-0x0000000072180000-0x0000000072544000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\stprinterx.cat

MD5 1d56a3f8d7f5dab184a8cc4feddaa173
SHA1 75d291cb96fdc05d54c962f1cb08796ee439b22f
SHA256 84e1a32b4975e92477cf6a36d8931921da735ef988e0c09a2b056f2904541b1e
SHA512 fb58167a98d9309a703f06d5c6414ab707b37e90a26bfc1c0812b10381c116fa6c7c26ac30fc8570b8f87186775bc64e7af6d409a7d213fc3b4b76b0b7a76fb6

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.config.json

MD5 9537e9d6415fe3cb654382e5533b5833
SHA1 9523175453b9d5bbcf2aa282651e6011d14f98ad
SHA256 186e70ecc6fc69c48e5df8ea9dfc217562189d775aee1fdacba2067541fb34a6
SHA512 0c6b41b2a3296af02a46460fa93d4b9a27588e2d39ed65bde287583da10d19a7664c434653f4a25bf9fe16c4bed82dffc8d265831c90d5923128a9cf229846e2

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.splashtop.sostheme

MD5 71559662e8112dd44f31670600b5fb15
SHA1 b627f31641e1c7fb40d164f94b8e364f03648922
SHA256 4e5e616946bdbdb5a4c26ff1a75f665f9d6e69c6421cb1e2933f32628ecbd09e
SHA512 9aacc46d8ee927b56cfd0c8f9b9328df1f163ead52e52bdbd3deae1ce994e8c77dc0a4fe9defc45cee93a25bb07193873b9e9580ee2adcca20a86b91c5b32574

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\stprinter.cat

MD5 2dac6568b843ebdc5c98598ca32918be
SHA1 e7740e4be7f71a82adbb6e5224d33534e237614c
SHA256 eb61a0e06bf8c69597f9bb1909e3eb4f926e49800c3f9721fda3007993da5ee7
SHA512 1bc8aa82e68911f5ee1835d19cf49a736c1c35c2f6b4fcd48c3c6fcf7ff6958400d1e815c5e891e172af9035232175bb00e8a21f5a0590f02dc683f45a6c3d8b

memory/3200-211-0x0000000072550000-0x000000007266C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.cloudbuild.check.rsa

MD5 6d69724c8b19608f6a0083148a38b927
SHA1 7ebb8c53a041bfc8218f6b7f280d256faedccb8c
SHA256 effe5a095601f94c953c0067b153865eca17385d5776ed6d5fa4e5410c3de925
SHA512 b3c12d61b3e31793e870aed0e1f7bb5e76bba752bda412b748e8941a8508995bbcd6fde3071d6be6789d1631eae38cace6bfa1bef069e296a0f45b7f4215a0fc

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.cloudbuild.check

MD5 f0f79dfa81a3e3c0730acf0be18e2865
SHA1 2766a217ae26654c53f4293118751a57b0a42bcf
SHA256 73d7a697a3af00a80bba5fe9688576aa027b09d0983e719965bedc26d73ede3f
SHA512 6707cb4fc28d49d910afe342790a3513142036b104794a096646ab546fc3ee50db5e428a68336eca770e0d56f0c9ae36c1cc238be2c64644ae9a283a2260a5d5

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe

MD5 393830c320fccbced08ed693bdec80f0
SHA1 1fc1d88d4db881af32540926b1ac901af72d9ff7
SHA256 6fd3f1370638043928215e1dfd6e29c0bbc250188001c2e356f708c147c11359
SHA512 8cd4f8af20b6a35e60e6522971e1e2ed2a4cdbe26215051758e690291d077fcc8c3e2d407878280fe4858e69daad4088381f573a8058754bf3f0bb44f2e64389

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe

MD5 bec6156158a67602b09cf0da73030c97
SHA1 7d3b3f04b1b0687c2f57b4eef16025e5b510078a
SHA256 915ab66486ebc2d53e00fb67009e9075f5f38362ec9991dea0edd22e1f376b85
SHA512 83a9db2a90bf15fbfaa11fa22ca360645b0dc75dfd6ec78cd8e92d1545b25661338d748b2bc135382e46ce14825e4c1e93ac08f5f9d7c357ff60fe1748f06a3d

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe

MD5 a490f9458c33bd398784f2a279191fe5
SHA1 75608efd13ec19a2bd9adaf4a3c213fe8b56b58c
SHA256 a4291f8933c7c7f86f41b6d8c55b38b32d423ca2de2fd849bfb34cfaa3a423c9
SHA512 7fe5000e801e23d7f606b44e630069b3b1da3610b7f24710dfc45692d5c1f630cae0008ce7ec64f943725a33a290fd22621dec7ff0b22496a7a8a79f95777f3d

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\swresample-2.dll

MD5 4a2f597c15ad595cfd83f8a34a0ab07a
SHA1 7f6481be6ddd959adde53251fa7e9283a01f0962
SHA256 5e756f0f1164b7519d2269aa85e43b435b5c7b92e65ed84e6051e75502f31804
SHA512 0e868ad546a6081de76b4a5cdcc7d457b2f0fb7239dc676c17c46a988a02696b12a9c3a85f627c76e6524f9a3ed25f2d9b8e8764d7e18fc708ead4475591946f

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\avutil-55.dll

MD5 a9a9d31764b50858a01b1fb228406f06
SHA1 7a313c46f049287045992f54f9d6eda9db568ef8
SHA256 c0babd7670124bb298d3ba6a8ee5ae33ad1030c08a18d8b8861f5d83003eb645
SHA512 164d5497aa91a5b4742a291f589400bc0b189af946615a2f04e6cfd1ed598a542f7521e4dd79aab99414846a3c391255309f911c247ef446a0483d9fab6efdfc

C:\Users\Admin\AppData\Local\Temp\splashtop\sos\01_sysinfo.txt

MD5 bb3b81e1f94858ecaed8c3425f0024ce
SHA1 932e55fbd8188f6ba5ff51f6a9190136317cc74b
SHA256 ad025a1f333ae2ba6d6fd9e7b656c55631d1b589db08aaf00ce577711e18befe
SHA512 c62e55d72ef8b5fe7bec7c5caec56b0ee7131598bd747a232e66bee02315851fe2560597a8df58d2cc41aa709111b11a88fa592089cfb3561f586f2dbf13feb1

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\default.ico

MD5 c95fa1029e39dd12d24dddc07d24b694
SHA1 a813cc60c0d821219bd7301ab7557e7fc3328999
SHA256 664042ed1d06746971e0f05c440a094d0e5ef7e6d54845b4501768a06e60e2a0
SHA512 08343d820a66bc5b945090c6fb1ab3b70975ac6c2b2551c3c83925e51f56958f81b14f6f19cc8b6fed55eeb0316b47094da33378ba24adabbfd33e38098e01eb

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\db\SRAgent.sqlite3

MD5 64f7dd1022edefb36991bae0ccd8d2c5
SHA1 4f4a801372b0f90edd2e147a45cb1a328cce01b3
SHA256 68cf4808ac92b3a857a1a6b9cd0137b4e44fa8ae19d81e111aa2d2e7174ac554
SHA512 580ad3a55edbc3ce65b4c62e83c1bb78e7523f4ea2dcde952a7b5c8bd933cbbc662e396c7f38c37b9958df0eb19326defd9ed9f1183b8ac693aaf4e5b18b4178

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe

MD5 4a3e37f3189e286732c097625f66cbeb
SHA1 07443d2e446696ea3d454fb511785c54f1b9d692
SHA256 9d5ad887858f91b394267a193caefdd0b2247b510ce684028d5abde1c2ab0610
SHA512 5fb1d9467688cea1024e45d2e9bf25b5bd2b272d7471077a849499ef4da5d03de720b64fc111c87b913e85a9c37882ec01e3af2fe71280d75a353f76ebad8160

C:\Windows\Temp\bd2_request_43b3c272f5b5d66.bat

MD5 4a3fe2d6413f690dce1800b9b77a1c04
SHA1 83c5daf2d94aa22685dc32c92f72d457eb4da952
SHA256 de5cb61f8cc7c99fb9aa4892e28254b8bbe02c9aaede4e0347f4acb0da07213c
SHA512 ba94ec71edf27cf67b29e94c750e5e796c43c3655b58e224a71b7874c5237acf19a6f3a8492496475a6658e97ed219fdfba53af869443a0f502dc9c89bdbdd94

memory/3200-307-0x00000000726A0000-0x000000007279D000-memory.dmp

memory/3200-310-0x0000000072550000-0x000000007266C000-memory.dmp

memory/3200-313-0x0000000072180000-0x0000000072544000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\fips.dll

MD5 68d8d459ee6a5027ffe35302b21d66fa
SHA1 91299e1ff75b293a18105fbdfcb2cde92a6c8507
SHA256 0ef5739fcc3850411e1db6af2e194e25c7e473bb950a387a7c851fe02660b4e8
SHA512 c032e6c057da58374ff51b50b2146e4b27eb6a18a452668eb2c78e3f4e729399f303873a2dc40f5910826a4f23146dfb851b62df3d5948a9039ec6ed23e53b32

memory/3200-317-0x00000000712B0000-0x0000000071474000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\fips.cnf

MD5 e077993e994d28bbc7502681280c5551
SHA1 9c3b360f9e81ccf8c8b56be25e4ce9d67d1f61b4
SHA256 b8d539255fb1ea42ee3b06f0e314b037e35701e2b258272889d866dd3419526b
SHA512 b2fed3539bd94999f9f9a2cfebac6a3632212c10f3d97a5129e444fc548d1685877d0810790b71d342a4ef9080d1efc73bf7a9493b5ccbd93232231ee2251abe

memory/3204-318-0x00000000726A0000-0x000000007279D000-memory.dmp

memory/3200-321-0x0000000072180000-0x0000000072544000-memory.dmp

memory/3204-323-0x0000000072550000-0x000000007266C000-memory.dmp

memory/3200-322-0x00000000712B0000-0x0000000071474000-memory.dmp

memory/3200-320-0x0000000072550000-0x000000007266C000-memory.dmp

memory/3200-319-0x00000000726A0000-0x000000007279D000-memory.dmp

memory/3204-330-0x0000000072180000-0x0000000072544000-memory.dmp

memory/3204-332-0x0000000072550000-0x000000007266C000-memory.dmp

memory/3204-333-0x0000000072180000-0x0000000072544000-memory.dmp

memory/3204-331-0x00000000726A0000-0x000000007279D000-memory.dmp

memory/3200-367-0x00000000726A0000-0x000000007279D000-memory.dmp