Malware Analysis Report

2024-12-07 16:16

Sample ID 241113-n75pcasakq
Target 2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid
SHA256 6ea0b2cf655c6bf0c44dac0b9ab0fc97c2ee52b4873f48cb1243616a59669a46
Tags
discovery upx execution
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6ea0b2cf655c6bf0c44dac0b9ab0fc97c2ee52b4873f48cb1243616a59669a46

Threat Level: Shows suspicious behavior

The file 2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery upx execution

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Drops file in System32 directory

Checks computer location settings

Drops file in Windows directory

Checks installed software on the system

Loads dropped DLL

Executes dropped EXE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Command and Scripting Interpreter: PowerShell

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Modifies system certificate store

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 12:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 12:03

Reported

2024-11-13 12:06

Platform

win7-20241010-en

Max time kernel

151s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\DPX\setupact.log C:\Windows\system32\expand.exe N/A
File opened for modification C:\Windows\Logs\DPX\setuperr.log C:\Windows\system32\expand.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication\Name = "SRFeatureSOS.exe" C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\GDIPlus\FontCachePath = "C:\\Users\\Admin\\AppData\\Local" C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\GDIPlus C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee404000000010000001000000091de0625abdafd32170cbb25172a846720000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2768 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe C:\Windows\system32\cmd.exe
PID 2848 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\expand.exe
PID 2848 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\expand.exe
PID 2848 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\expand.exe
PID 2768 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe C:\Windows\system32\cmd.exe
PID 2396 wrote to memory of 520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2396 wrote to memory of 520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2396 wrote to memory of 520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2768 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe C:\Windows\system32\cmd.exe
PID 2480 wrote to memory of 2380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2480 wrote to memory of 2380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2480 wrote to memory of 2380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2768 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe C:\Windows\system32\cmd.exe
PID 2488 wrote to memory of 1732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2488 wrote to memory of 1732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2488 wrote to memory of 1732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2768 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe C:\Windows\system32\cmd.exe
PID 2084 wrote to memory of 1904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2084 wrote to memory of 1904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2084 wrote to memory of 1904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2384 wrote to memory of 2508 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe
PID 2384 wrote to memory of 2508 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe
PID 2384 wrote to memory of 2508 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe
PID 2384 wrote to memory of 2508 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe
PID 2384 wrote to memory of 2508 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe
PID 2384 wrote to memory of 2508 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe
PID 2384 wrote to memory of 2508 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe
PID 2508 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
PID 2508 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
PID 2508 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
PID 2508 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
PID 2508 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
PID 2508 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
PID 2508 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
PID 984 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe
PID 984 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe
PID 984 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe
PID 984 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe
PID 984 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
PID 984 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
PID 984 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
PID 984 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
PID 984 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
PID 984 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
PID 984 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
PID 984 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe
PID 984 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe
PID 984 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe
PID 984 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c C:\Windows\system32\expand.exe *.cab /f:* .\

C:\Windows\system32\expand.exe

C:\Windows\system32\expand.exe *.cab /f:* .\

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1

C:\Windows\system32\schtasks.exe

schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "

C:\Windows\system32\schtasks.exe

schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c schtasks /run /tn ASOS1

C:\Windows\system32\schtasks.exe

schtasks /run /tn ASOS1

C:\Windows\system32\taskeng.exe

taskeng.exe {160D17E6-8CEC-4B9A-9B3A-3B2BF6D3A739} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c schtasks /delete /f /tn ASOS1

C:\Windows\system32\schtasks.exe

schtasks /delete /f /tn ASOS1

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe SRManagerSOS.exe 1

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe

"SRManagerSOS.exe"

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe

SRServerSOS.exe -s

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe

"C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe"

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe

"C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe"

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe

"C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe"

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe

SRUtilitySOS.exe -r

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Windows\Temp\bd2_request_2ff16a09ec9c00.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 st-lookup-v1-sos-srs-win-3700-g3.api.splashtop.com udp
US 76.223.35.50:443 st-lookup-v1-sos-srs-win-3700-g3.api.splashtop.com tcp
US 8.8.8.8:53 st-lookup-v1-sos-srs-win-3700-g3.api.splashtop.com udp
US 8.8.8.8:53 st-lookup-v1-sos-srs-win-3700.api.splashtop.com udp
US 52.223.42.244:443 st-lookup-v1-sos-srs-win-3700.api.splashtop.com tcp
US 8.8.8.8:53 st-v3-sos-srs-win-3700.api.splashtop.eu udp
DE 52.57.96.131:443 st-v3-sos-srs-win-3700.api.splashtop.eu tcp
US 8.8.8.8:53 st-relay-v3-sos-srs-win-3700.api.splashtop.eu udp
DE 18.194.23.159:443 st-relay-v3-sos-srs-win-3700.api.splashtop.eu tcp
US 8.8.8.8:53 132-145-44-30.relay.splashtop.com udp
GB 132.145.44.30:443 132-145-44-30.relay.splashtop.com tcp
US 8.8.8.8:53 3-254-92-28.relay.splashtop.com udp
US 8.8.8.8:53 134-65-58-97.relay.splashtop.com udp
US 8.8.8.8:53 140-238-72-181.relay.splashtop.com udp
US 8.8.8.8:53 34-147-188-244.relay.splashtop.com udp
US 8.8.8.8:53 3-8-123-23.relay.splashtop.com udp
IE 3.254.92.28:443 3-254-92-28.relay.splashtop.com tcp
GB 134.65.58.97:443 134-65-58-97.relay.splashtop.com tcp
GB 34.147.188.244:443 34-147-188-244.relay.splashtop.com tcp
GB 140.238.72.181:443 140-238-72-181.relay.splashtop.com tcp
GB 3.8.123.23:443 3-8-123-23.relay.splashtop.com tcp
N/A 127.0.0.1:49581 tcp
N/A 127.0.0.1:49583 tcp
N/A 127.0.0.1:49585 tcp
N/A 127.0.0.1:49588 tcp
N/A 127.0.0.1:49590 tcp
GB 3.8.123.23:443 3-8-123-23.relay.splashtop.com tcp
GB 140.238.72.181:443 140-238-72-181.relay.splashtop.com tcp
GB 134.65.58.97:443 134-65-58-97.relay.splashtop.com tcp
GB 34.147.188.244:443 34-147-188-244.relay.splashtop.com tcp
IE 3.254.92.28:443 3-254-92-28.relay.splashtop.com tcp
N/A 127.0.0.1:49609 tcp
N/A 127.0.0.1:49611 tcp
N/A 127.0.0.1:49613 tcp
N/A 127.0.0.1:49616 tcp
N/A 127.0.0.1:49620 tcp
GB 134.65.58.97:443 134-65-58-97.relay.splashtop.com tcp
IE 3.254.92.28:443 3-254-92-28.relay.splashtop.com tcp
GB 3.8.123.23:443 3-8-123-23.relay.splashtop.com tcp
GB 34.147.188.244:443 34-147-188-244.relay.splashtop.com tcp
GB 140.238.72.181:443 140-238-72-181.relay.splashtop.com tcp
N/A 127.0.0.1:49634 tcp
N/A 127.0.0.1:49636 tcp
N/A 127.0.0.1:49638 tcp
N/A 127.0.0.1:49641 tcp
N/A 127.0.0.1:49643 tcp

Files

C:\Users\Admin\AppData\Local\Temp\unpack1.log

MD5 d49cde454673a977538d2774b092ede1
SHA1 61533aafe31532cdf4fda09bc20914aabe09e255
SHA256 3d5cb4d9bcc50beebd5681e72d7c43c97d6ba1bc8c0aadf37d6705c8c6a27226
SHA512 1e10dbc9cecf634c251466f1f02c24ed53ca587f1727df1a36bdbd060b867f19cf51c638a071f944e7e9c7d92987025562496e7ca6234f4bfb274687144617ba

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\streamer1.cab

MD5 ee7c1fa035cac997ff78b2a8d77b19c3
SHA1 9ed41bd57a4af443ed246693da7b66a96c181cb3
SHA256 ad125dfb7cea109cd265c27e70db7c1fd334b491d3e6c261caf9416c37e117af
SHA512 ef9eac2b09b130993561975a96a7941710ab4781271ce5e9618f085c283df8988f83f05070100251f36660b172853b96bff2c5bd65817686d3476e4fc2217f84

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRClient.pem

MD5 a8b2b3d6c831f120ce624cff48156558
SHA1 202db3bd86f48c2a8779d079716b8cc5363edece
SHA256 33fe8889070b91c3c2e234db8494fcc174ecc69cfff3d0bc4f6a59b39c500484
SHA512 3b1fc8910b462ea2e3080418428795ca63075163e1e42a7136fa688aa2e130f5d3088ab27d18395c8c0a4d76bdc5ed95356255b8c29d49116e4743d269c97bf9

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\ASOS.xml

MD5 8ce869f7dbbb2e38c8de76716e49b8a5
SHA1 de73a6b80fca67b06a7e1fec1904095d61b7b864
SHA256 1008bce6f93a3863164b0fea34bea07bd6ce304dffafac5615dc52bbb675bd47
SHA512 98afa1fe513beb31bca44e56fe40f0a049d3bb0ccc7cf4997b8fb2631774131c7232072e733674a3ed6771201d53788e94d595e8254a5ffc4d6cc45ff93417af

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe

MD5 2def326d4f3ad50a7abb0f20944405fc
SHA1 c99b7a01019992e4180a5a9d67a8f30a5bda46d7
SHA256 ed259409860bc916cc26af1fcb8de0fb455607dd1056d3e530c29614435c3092
SHA512 43bf3d1958d1bb1bbeecfff70ca7309509af2ec346763e92521c128b786ce8c6063a5339693ad129966965d926107eaeddc9de9abd9bf0c2580bd3ec2ab3ceb4

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe

MD5 3e76e9316ef4786a23fb89f0c2b675ae
SHA1 b97760551fbaf04f95efb41fb5e6223327fac922
SHA256 a3e723d732b9ba96fb6d639ae3ac38e90e7b8039bd575814c57ca76d0f95a7af
SHA512 5a78f1cc980c3da7e5f844282c23f724c70ec8ed48ccafb2c39e4fc3f183e4660ff263bc2036f493587142098e180a1ac452ff32036a31ac71729db5a248049d

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe

MD5 c99c8787347caef751fba46a2bc529fc
SHA1 6c2051fa486b673b9ffd01dae98ae6ec263be390
SHA256 ad072ff07a42bcd2e09023024ee87a9803373a17e41926f90463a9350877cf20
SHA512 99bd7d6589a56ffdb50b498198254fea1333753f179ee042f9dc3d248bb3ff7c3d613353015ad145308d7f67376b85154a725f17ff6b0a513668a23e23caa5a5

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\dbghelp.dll

MD5 eeda10135ede6edb5c85df3bd878e557
SHA1 8a1059dfd641269945e7a2710b684881bb63e8d2
SHA256 4b890de3708716d81c1c719b498734339d417e8ffc4955d81483d1ebc0f84697
SHA512 a56bfc73537e36efba8e09ffd0b2f6bfc56bc4cb4fe90b52858c7afd5d67db23ccba51c8097befe4ecb5082ba66c2b2612e2975ef3448252c48b97f41d12d591

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libssl-3.dll

MD5 99a6a9656da926af8aa648d50b47dcfb
SHA1 81db96003bd8f63250abc7e59fb35e0227d3f28a
SHA256 fdf1f9d0af4ff8e5cbd4387d6849327e91f0eedd1befe58d7dd8b6ec40e90a98
SHA512 16e850fdabf76a11ed4176e0fd57dafb64faf9551ea220d003c5a86aff8c39ab40d66f7ac7fcc6ef71cfa7e1d6268bbc23e32aa5cf69df58a5d05f666701f3c0

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libcrypto-3.dll

MD5 72d867e8c7a84374aa72bf7feca4334e
SHA1 bbe4c42beb19a1f23bfbcfc5a67164d5ea29784e
SHA256 17d29b81faea714b5a93008711d92d1329b22244a2e9f56736064caa4fd3cd84
SHA512 b523df6ffe4a51180cdf2bda761b01a521391a6b24e081309c33c91835c19be96015b932d527822f5837802a979a3c48f5cc111892c47c082e8bcb8f2115ac3f

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.cloudbuild.check.rsa

MD5 b2bffc494793613698354acfcb792543
SHA1 a0d94d42a0f8f8872a94df3208a405dfd24717d9
SHA256 6a4d4f70cb5f6fdd67f34c4f65562e872724ba7e467f4c7553af0b22f06298cc
SHA512 1f984266a1c9c6baa356c3e6d44ae9ddc04c97990db232a075c1d88ba31b01a0881d36c62f14775943a2e062d4415cd1bd3e2b0cd75a09162f5bbf49091d3801

\Users\Admin\AppData\Local\Temp\unpacksos\1\SRSocketCtrl.dll

MD5 0abd0b462f8e07c20af3719bc672a71c
SHA1 9bac3e016617fb3034e7b24080f200acc337ad17
SHA256 3aeae10915f253166fb4ebf11993ea7e2bccd2583979870633d8db13b3005b7f
SHA512 83063c919b8c6816fdac1c2593eb6e998f996ce1487ebf06f51fa5219d127aa966eb3d1d365d1c7a5369d99d042900c60465aa9d6515a7aef06a2bc70c7eed29

memory/984-238-0x00000000737B0000-0x00000000738AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.cloudbuild.check

MD5 b5e0688b9ef0b96999920bbfa914308f
SHA1 1915a216e8dc9f2724caaa392e1991ae7cea481d
SHA256 1c3c30cee8b05a4bc58acd04a4ee1602c16093ca4ff056773c0dca6c57a287a1
SHA512 211305625a1c2730ea043a51d3769ee692607075501176b0afe19da351a563fa2b9832ce7fa7e6212312d1e47550d7d45cecdfcd99e7b287d7ddbff707502193

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.init_setting.ini

MD5 eb0d8eb4dc6b17d4c1a1a7c9d7f11cd1
SHA1 64dcaa8d1dde73f7815cad8aba5aad8a2e2b6a54
SHA256 720af1350c6ceaf2c57191e98e68a89cd32da05db2b63fb77036dfe657ccfc99
SHA512 f6555d5890eb41d8de4c3dd4b8347e123da381229228719aea2f7f7d89c43a301eb3d3fed8361fb3a7580ac88b189875d25d8c097af05bb625088fa88ffbc18e

memory/984-240-0x0000000073650000-0x000000007376C000-memory.dmp

memory/984-244-0x0000000072F80000-0x0000000073344000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.config.json

MD5 3648108659d7e98b1fdbbebc114f62d8
SHA1 5b9a1b9ff191652ee1b4d883434635909444cece
SHA256 48182f1c38a2c6b462db43c1f4010470887b27f21079b4e21f11464d0e3645ad
SHA512 7ca04d475a1b583abea6d777ae421ae6bc75706903b629bea768290e0b9cc5220c3b7f2be90f1aaafb5106daf68857224afac22a136a53fa73d94488c9e43ba5

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.splashtop.sostheme

MD5 0f250b439a055fa3ac9417889fe330f0
SHA1 50ad0d3207203e2c1347b8965b46f2490aa242a7
SHA256 148f9a17740a6d4607f8c3ef534a2effe33ccc3a80e1e2d3debf2e9fa98eb38f
SHA512 7db941fe501686b7f34057e1ab37761a742039a3d192da64e7876031eecb0477cbfd58bd1a6aa75b1b846d278315f8a5896e142e4c4141be1283e62455380ba7

\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe

MD5 d8e1c8358050a62961004beb6d598ec8
SHA1 1c1bc7c986c445d3c9e77b8efac621cb7b2b569c
SHA256 603193ec2b0e96ec483c8eaa92a517b8f685fb72875d2c5bd7c79fb0e5d7c38c
SHA512 cfbc2dde98458831e83e9dcf3ded621a3e1b26f73bac3a743f71923373429e993b9af2e5e1c8b9602e68741a8dc7f0ddea62add1f1a3d5a12b0269ea8c5d55fd

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe

MD5 13b2d865ec33421538e2466300e6cfc2
SHA1 d850b3621d8354270a548c2e55fc06379d49ea2c
SHA256 6761e45fa371e19dd77f1ab8cc715a93fa6221031d2b9424cda403728aa41ccb
SHA512 4bdc9eeb71d61ca3db71797a7d923fe9031ef2404cb3a88d41bdc3b2d80d080088cd49b14de2842d0e0593a52e3a9bb9d72e46268745ea7737de789a5c9edc3c

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe

MD5 fb8af7753cb2a3583d8e5372e295f04d
SHA1 f232d9b86386399a5cf43a4e3247c22ef18b85c6
SHA256 bbc7e13444052825b3ae254c0f4e18660df1a954840a68e37eb70a9e37acf461
SHA512 8a5e8a2e91f4ab94596fa0f57a5d9b61f9e15b8127e84692eedff9e09ab1bc9d2611bc58fca70635ceb2f4b1bffc2c0f0431f61bfbecadfc0dfca7fda0aa5923

memory/3068-262-0x0000000072F80000-0x0000000073344000-memory.dmp

memory/3068-261-0x0000000073650000-0x000000007376C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\swresample-2.dll

MD5 4a2f597c15ad595cfd83f8a34a0ab07a
SHA1 7f6481be6ddd959adde53251fa7e9283a01f0962
SHA256 5e756f0f1164b7519d2269aa85e43b435b5c7b92e65ed84e6051e75502f31804
SHA512 0e868ad546a6081de76b4a5cdcc7d457b2f0fb7239dc676c17c46a988a02696b12a9c3a85f627c76e6524f9a3ed25f2d9b8e8764d7e18fc708ead4475591946f

\Users\Admin\AppData\Local\Temp\unpacksos\1\avutil-55.dll

MD5 a9a9d31764b50858a01b1fb228406f06
SHA1 7a313c46f049287045992f54f9d6eda9db568ef8
SHA256 c0babd7670124bb298d3ba6a8ee5ae33ad1030c08a18d8b8861f5d83003eb645
SHA512 164d5497aa91a5b4742a291f589400bc0b189af946615a2f04e6cfd1ed598a542f7521e4dd79aab99414846a3c391255309f911c247ef446a0483d9fab6efdfc

C:\Users\Admin\AppData\Local\Temp\splashtop\sos\01_sysinfo.txt

MD5 71b65d662f2c41047adb5ba12a021a1b
SHA1 79f205cb18772e68b9858186b479b0f418d2b654
SHA256 5bc5b5556c65a2d37995e327146945f2489b2fbe0aeaad577625fed0b18ec947
SHA512 bc9c35fd0e2dfcc799c8e59763301534b6a44585157cd12a1b76ea9cb0555377582aaf8c5a9c61ecb69ea4dc75a22fd883f6c047c5fbc5fbb0fc7b2eaeebd04f

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe

MD5 e6066e9e4aa21333b30fe304ea32d40a
SHA1 568ae6207f94314590c768d47346231e5118239c
SHA256 0a0b3845d467f3f9abce841a93dda696fe80cd261242cce863d3c6abd92f01cf
SHA512 fdf2f9a348d0b7f38857b87b8c5d0101a57bb4695c17ad8864f92266522879df2d3e6bfc90b2885b8ecc0dd76e317581232b3711611c6ae340b2260749731598

memory/984-300-0x00000000737B0000-0x00000000738AD000-memory.dmp

memory/984-301-0x0000000073650000-0x000000007376C000-memory.dmp

memory/984-302-0x0000000072F80000-0x0000000073344000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\db\SRAgent.sqlite3

MD5 5b5fd60d84774118ec007a9abffb5aa9
SHA1 858c897462321c9f7a6f50f4b83ef05158a2ea4a
SHA256 d85751b4998e60e9d8916f88d4c0a9b2c307e8e21eb16f793d1e08e9b794b643
SHA512 ca08a407764117f672d288466c9ccff1b61011c88f44bcc36690bbfb1365b1d8a5e14e3ed2ff76bb619259260980f82156e4de7ba49e5a8107829090cfa232f1

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\default.ico

MD5 7ea19dbf3cd6307e4f41de8d5a889fc2
SHA1 94e2571b2a40f72fe718455faeac22c082d7bd78
SHA256 4651be0a065afe6244247caeab505afba5096bd467269a3d2481691c00166e5b
SHA512 dc5be4513331392ea889bb9c9cb4d252de85d86603caff71fdef6c2a3e93750aa1c1c2be1a49171f95e2bc54eab653510ef500bf2aa44a792e42ab86e02dab62

C:\Windows\Temp\TarB1E6.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Windows\Temp\bd2_request_2ff16a09ec9c00.bat

MD5 212ef776ee1726adbdffb957a927e5cb
SHA1 43f53fa272e63f79f45e1923aca1a008db42b654
SHA256 c3e75662a50969217ed4aaaa74595257c26ce4bc6bbc322d19e6b53d42e8bd42
SHA512 4a35f57af34337fd9a9d1eae1f15848174e7045668094ea4159fa8b310f69e2946591e788b050dd96651c0266413483ce1f8e5b53e911f1829c39edc0269a38d

memory/3068-356-0x00000000737B0000-0x00000000738AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\fips.cnf

MD5 e077993e994d28bbc7502681280c5551
SHA1 9c3b360f9e81ccf8c8b56be25e4ce9d67d1f61b4
SHA256 b8d539255fb1ea42ee3b06f0e314b037e35701e2b258272889d866dd3419526b
SHA512 b2fed3539bd94999f9f9a2cfebac6a3632212c10f3d97a5129e444fc548d1685877d0810790b71d342a4ef9080d1efc73bf7a9493b5ccbd93232231ee2251abe

memory/3068-363-0x0000000073650000-0x000000007376C000-memory.dmp

\Users\Admin\AppData\Local\Temp\unpacksos\1\fips.dll

MD5 68d8d459ee6a5027ffe35302b21d66fa
SHA1 91299e1ff75b293a18105fbdfcb2cde92a6c8507
SHA256 0ef5739fcc3850411e1db6af2e194e25c7e473bb950a387a7c851fe02660b4e8
SHA512 c032e6c057da58374ff51b50b2146e4b27eb6a18a452668eb2c78e3f4e729399f303873a2dc40f5910826a4f23146dfb851b62df3d5948a9039ec6ed23e53b32

memory/3068-364-0x0000000072F80000-0x0000000073344000-memory.dmp

memory/984-365-0x00000000727F0000-0x00000000729B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libcurl.dll

MD5 278d7f9c9a7526f35e1774cca0059c36
SHA1 423f1ebd3cbd52046a16538d6baa17076610cb2f
SHA256 12177dae5e123526e96023a48752ae0cb47e9f6eeafc20960f5a95ca6052d1b8
SHA512 75f8c4856fb04b2d5e491f32584f0aaefa0d42356e12320cbcb67df48e59c7f644512c2c5146fd7791c2ccb770fd709a8d8e4c72eafb74c39e1336accb49a044

memory/984-371-0x0000000072700000-0x00000000727E9000-memory.dmp

memory/984-373-0x00000000737B0000-0x00000000738AD000-memory.dmp

memory/984-375-0x0000000072F80000-0x0000000073344000-memory.dmp

memory/984-374-0x0000000073650000-0x000000007376C000-memory.dmp

memory/984-385-0x00000000725C0000-0x00000000726A9000-memory.dmp

memory/984-394-0x00000000724D0000-0x00000000725B9000-memory.dmp

memory/3068-399-0x00000000737B0000-0x00000000738AD000-memory.dmp

memory/3068-401-0x0000000072F80000-0x0000000073344000-memory.dmp

memory/3068-400-0x0000000073650000-0x000000007376C000-memory.dmp

memory/984-426-0x0000000072F80000-0x0000000073344000-memory.dmp

memory/984-427-0x00000000727F0000-0x00000000729B4000-memory.dmp

memory/984-424-0x00000000737B0000-0x00000000738AD000-memory.dmp

memory/984-425-0x0000000073650000-0x000000007376C000-memory.dmp

memory/984-433-0x0000000072F80000-0x0000000073344000-memory.dmp

memory/984-434-0x00000000727F0000-0x00000000729B4000-memory.dmp

memory/984-431-0x00000000737B0000-0x00000000738AD000-memory.dmp

memory/984-432-0x0000000073650000-0x000000007376C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 12:03

Reported

2024-11-13 12:05

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\LOGS\DPX\setuperr.log C:\Windows\system32\expand.exe N/A
File opened for modification C:\Windows\LOGS\DPX\setupact.log C:\Windows\system32\expand.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2292 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe C:\Windows\system32\cmd.exe
PID 2292 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe C:\Windows\system32\cmd.exe
PID 1420 wrote to memory of 4864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\expand.exe
PID 1420 wrote to memory of 4864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\expand.exe
PID 2292 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe C:\Windows\system32\cmd.exe
PID 2292 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe C:\Windows\system32\cmd.exe
PID 3000 wrote to memory of 4740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3000 wrote to memory of 4740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2292 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe C:\Windows\system32\cmd.exe
PID 2292 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe C:\Windows\system32\cmd.exe
PID 5068 wrote to memory of 4136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 5068 wrote to memory of 4136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2292 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe C:\Windows\system32\cmd.exe
PID 2292 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe C:\Windows\system32\cmd.exe
PID 1088 wrote to memory of 4180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1088 wrote to memory of 4180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2292 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe C:\Windows\system32\cmd.exe
PID 2292 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe C:\Windows\system32\cmd.exe
PID 4464 wrote to memory of 4332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4464 wrote to memory of 4332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 540 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
PID 540 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
PID 540 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
PID 4140 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe
PID 4140 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe
PID 4140 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe
PID 4140 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
PID 4140 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
PID 4140 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
PID 4140 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe
PID 4140 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe
PID 4140 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe
PID 4140 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe
PID 4140 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe
PID 4140 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe
PID 1564 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe
PID 1564 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe
PID 1564 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe
PID 4552 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe C:\Windows\SysWOW64\cmd.exe
PID 3112 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\chcp.com
PID 3112 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\chcp.com
PID 3112 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c C:\Windows\system32\expand.exe *.cab /f:* .\

C:\Windows\system32\expand.exe

C:\Windows\system32\expand.exe *.cab /f:* .\

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1

C:\Windows\system32\schtasks.exe

schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "

C:\Windows\system32\schtasks.exe

schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c schtasks /run /tn ASOS1

C:\Windows\system32\schtasks.exe

schtasks /run /tn ASOS1

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe SRManagerSOS.exe 1

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c schtasks /delete /f /tn ASOS1

C:\Windows\system32\schtasks.exe

schtasks /delete /f /tn ASOS1

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe

"SRManagerSOS.exe"

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe

SRServerSOS.exe -s

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe

"C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe"

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe

"C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe"

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe

"C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe"

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe

SRUtilitySOS.exe -r

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\Temp\bd2_request_1559b2ee40ac030.bat

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c chcp 65001&&powershell.exe -Command "$Session = New-Object -ComObject Microsoft.Update.Session;$Searcher = $Session.CreateUpdateSearcher();$Res = $Searcher.search(\"IsInstalled = 0 And DeploymentAction=*\");$array = @();foreach($update in $Res.Updates) {$line = \"\" | select kbid, title, desc, updateId, category, severity, important, eulaAccepted, maxSize, minSize, type, releaseDate, rebootRequired;$line.title = $update.Title;$line.desc = $update.Description;$line.updateId = $update.Identity.UpdateID;$line.category = \"\";foreach($category in $update.Categories) { $line.category += \"$($category.CategoryID),\" };$line.kbid = $update.KBArticleIDs -join ' ';$line.severity = $update.MsrcSeverity;$line.important = $update.AutoSelectOnWebSites;$line.eulaAccepted = $update.EulaAccepted;$line.maxSize = $update.MaxDownloadSize;$line.minSize = $update.MinDownloadSize;$line.type = $update.Type;$line.releaseDate = $update.LastDeploymentChangeTime.toString(\"yyyy:MM:dd hh:mm:ss\");$line.rebootRequired = $update.RebootRequired;$array += $line;};ConvertTo-Json $array;"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -Command "$Session = New-Object -ComObject Microsoft.Update.Session;$Searcher = $Session.CreateUpdateSearcher();$Res = $Searcher.search(\"IsInstalled = 0 And DeploymentAction=*\");$array = @();foreach($update in $Res.Updates) {$line = \"\" | select kbid, title, desc, updateId, category, severity, important, eulaAccepted, maxSize, minSize, type, releaseDate, rebootRequired;$line.title = $update.Title;$line.desc = $update.Description;$line.updateId = $update.Identity.UpdateID;$line.category = \"\";foreach($category in $update.Categories) { $line.category += \"$($category.CategoryID),\" };$line.kbid = $update.KBArticleIDs -join ' ';$line.severity = $update.MsrcSeverity;$line.important = $update.AutoSelectOnWebSites;$line.eulaAccepted = $update.EulaAccepted;$line.maxSize = $update.MaxDownloadSize;$line.minSize = $update.MinDownloadSize;$line.type = $update.Type;$line.releaseDate = $update.LastDeploymentChangeTime.toString(\"yyyy:MM:dd hh:mm:ss\");$line.rebootRequired = $update.RebootRequired;$array += $line;};ConvertTo-Json $array;"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 st-lookup-v1-sos-srs-win-3700-g3.api.splashtop.com udp
US 76.223.35.50:443 st-lookup-v1-sos-srs-win-3700-g3.api.splashtop.com tcp
US 8.8.8.8:53 st-v3-sos-srs-win-3700-g3.api.splashtop.eu udp
DE 3.125.79.75:443 st-v3-sos-srs-win-3700-g3.api.splashtop.eu tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 50.35.223.76.in-addr.arpa udp
US 8.8.8.8:53 75.79.125.3.in-addr.arpa udp
DE 3.125.79.75:443 st-v3-sos-srs-win-3700-g3.api.splashtop.eu tcp
DE 3.125.79.75:443 st-v3-sos-srs-win-3700-g3.api.splashtop.eu tcp
US 8.8.8.8:53 st-relay-v3-sos-srs-win-3700-g3.api.splashtop.eu udp
DE 18.185.231.156:443 st-relay-v3-sos-srs-win-3700-g3.api.splashtop.eu tcp
DE 3.125.79.75:443 st-v3-sos-srs-win-3700-g3.api.splashtop.eu tcp
US 8.8.8.8:53 140-238-79-96.relay.splashtop.com udp
GB 140.238.79.96:443 140-238-79-96.relay.splashtop.com tcp
DE 3.125.79.75:443 st-v3-sos-srs-win-3700-g3.api.splashtop.eu tcp
US 8.8.8.8:53 156.231.185.18.in-addr.arpa udp
US 8.8.8.8:53 96.79.238.140.in-addr.arpa udp
DE 3.125.79.75:443 st-v3-sos-srs-win-3700-g3.api.splashtop.eu tcp
US 8.8.8.8:53 134-65-58-97.relay.splashtop.com udp
US 8.8.8.8:53 35-177-75-182.relay.splashtop.com udp
US 8.8.8.8:53 54-217-182-57.relay.splashtop.com udp
US 8.8.8.8:53 35-197-220-128.relay.splashtop.com udp
US 8.8.8.8:53 132-145-54-27.relay.splashtop.com udp
GB 35.177.75.182:443 35-177-75-182.relay.splashtop.com tcp
GB 35.197.220.128:443 35-197-220-128.relay.splashtop.com tcp
GB 134.65.58.97:443 134-65-58-97.relay.splashtop.com tcp
IE 54.217.182.57:443 54-217-182-57.relay.splashtop.com tcp
GB 132.145.54.27:443 132-145-54-27.relay.splashtop.com tcp
US 8.8.8.8:53 27.54.145.132.in-addr.arpa udp
US 8.8.8.8:53 128.220.197.35.in-addr.arpa udp
US 8.8.8.8:53 182.75.177.35.in-addr.arpa udp
US 8.8.8.8:53 97.58.65.134.in-addr.arpa udp
US 8.8.8.8:53 57.182.217.54.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 fe2cr.update.microsoft.com udp
US 52.252.198.191:443 fe2cr.update.microsoft.com tcp
US 8.8.8.8:53 191.198.252.52.in-addr.arpa udp
US 8.8.8.8:53 download.windowsupdate.com udp
US 199.232.210.172:80 download.windowsupdate.com tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
IE 54.217.182.57:443 54-217-182-57.relay.splashtop.com tcp
GB 134.65.58.97:443 134-65-58-97.relay.splashtop.com tcp
GB 35.177.75.182:443 35-177-75-182.relay.splashtop.com tcp
GB 132.145.54.27:443 132-145-54-27.relay.splashtop.com tcp
GB 35.197.220.128:443 35-197-220-128.relay.splashtop.com tcp
IE 54.217.182.57:443 54-217-182-57.relay.splashtop.com tcp
GB 35.197.220.128:443 35-197-220-128.relay.splashtop.com tcp
GB 132.145.54.27:443 132-145-54-27.relay.splashtop.com tcp
GB 134.65.58.97:443 134-65-58-97.relay.splashtop.com tcp
GB 35.177.75.182:443 35-177-75-182.relay.splashtop.com tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\unpack1.log

MD5 92d3b651eb8018a7ec02976f1650176a
SHA1 88e8eb86e939ce079b6ff23ca2c4cc29577eeebe
SHA256 cb861ca416b7ce0336fe9d6c40a89d5a16269989e507ad5d7971185586b302d5
SHA512 f44fcd1694016bb70964e359573667533390f5b2a602ff17f25889919b97179d58970adf00439451f548b552219bacb0f8669615c99ee73faeef343463932797

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\streamer1.cab

MD5 ee7c1fa035cac997ff78b2a8d77b19c3
SHA1 9ed41bd57a4af443ed246693da7b66a96c181cb3
SHA256 ad125dfb7cea109cd265c27e70db7c1fd334b491d3e6c261caf9416c37e117af
SHA512 ef9eac2b09b130993561975a96a7941710ab4781271ce5e9618f085c283df8988f83f05070100251f36660b172853b96bff2c5bd65817686d3476e4fc2217f84

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRClient.pem

MD5 a8b2b3d6c831f120ce624cff48156558
SHA1 202db3bd86f48c2a8779d079716b8cc5363edece
SHA256 33fe8889070b91c3c2e234db8494fcc174ecc69cfff3d0bc4f6a59b39c500484
SHA512 3b1fc8910b462ea2e3080418428795ca63075163e1e42a7136fa688aa2e130f5d3088ab27d18395c8c0a4d76bdc5ed95356255b8c29d49116e4743d269c97bf9

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\ASOS.xml

MD5 8ce869f7dbbb2e38c8de76716e49b8a5
SHA1 de73a6b80fca67b06a7e1fec1904095d61b7b864
SHA256 1008bce6f93a3863164b0fea34bea07bd6ce304dffafac5615dc52bbb675bd47
SHA512 98afa1fe513beb31bca44e56fe40f0a049d3bb0ccc7cf4997b8fb2631774131c7232072e733674a3ed6771201d53788e94d595e8254a5ffc4d6cc45ff93417af

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe

MD5 2def326d4f3ad50a7abb0f20944405fc
SHA1 c99b7a01019992e4180a5a9d67a8f30a5bda46d7
SHA256 ed259409860bc916cc26af1fcb8de0fb455607dd1056d3e530c29614435c3092
SHA512 43bf3d1958d1bb1bbeecfff70ca7309509af2ec346763e92521c128b786ce8c6063a5339693ad129966965d926107eaeddc9de9abd9bf0c2580bd3ec2ab3ceb4

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe

MD5 c99c8787347caef751fba46a2bc529fc
SHA1 6c2051fa486b673b9ffd01dae98ae6ec263be390
SHA256 ad072ff07a42bcd2e09023024ee87a9803373a17e41926f90463a9350877cf20
SHA512 99bd7d6589a56ffdb50b498198254fea1333753f179ee042f9dc3d248bb3ff7c3d613353015ad145308d7f67376b85154a725f17ff6b0a513668a23e23caa5a5

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\dbghelp.dll

MD5 eeda10135ede6edb5c85df3bd878e557
SHA1 8a1059dfd641269945e7a2710b684881bb63e8d2
SHA256 4b890de3708716d81c1c719b498734339d417e8ffc4955d81483d1ebc0f84697
SHA512 a56bfc73537e36efba8e09ffd0b2f6bfc56bc4cb4fe90b52858c7afd5d67db23ccba51c8097befe4ecb5082ba66c2b2612e2975ef3448252c48b97f41d12d591

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe

MD5 3e76e9316ef4786a23fb89f0c2b675ae
SHA1 b97760551fbaf04f95efb41fb5e6223327fac922
SHA256 a3e723d732b9ba96fb6d639ae3ac38e90e7b8039bd575814c57ca76d0f95a7af
SHA512 5a78f1cc980c3da7e5f844282c23f724c70ec8ed48ccafb2c39e4fc3f183e4660ff263bc2036f493587142098e180a1ac452ff32036a31ac71729db5a248049d

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libssl-3.dll

MD5 99a6a9656da926af8aa648d50b47dcfb
SHA1 81db96003bd8f63250abc7e59fb35e0227d3f28a
SHA256 fdf1f9d0af4ff8e5cbd4387d6849327e91f0eedd1befe58d7dd8b6ec40e90a98
SHA512 16e850fdabf76a11ed4176e0fd57dafb64faf9551ea220d003c5a86aff8c39ab40d66f7ac7fcc6ef71cfa7e1d6268bbc23e32aa5cf69df58a5d05f666701f3c0

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\stprinterx.cat

MD5 1d56a3f8d7f5dab184a8cc4feddaa173
SHA1 75d291cb96fdc05d54c962f1cb08796ee439b22f
SHA256 84e1a32b4975e92477cf6a36d8931921da735ef988e0c09a2b056f2904541b1e
SHA512 fb58167a98d9309a703f06d5c6414ab707b37e90a26bfc1c0812b10381c116fa6c7c26ac30fc8570b8f87186775bc64e7af6d409a7d213fc3b4b76b0b7a76fb6

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\stprinter.cat

MD5 2dac6568b843ebdc5c98598ca32918be
SHA1 e7740e4be7f71a82adbb6e5224d33534e237614c
SHA256 eb61a0e06bf8c69597f9bb1909e3eb4f926e49800c3f9721fda3007993da5ee7
SHA512 1bc8aa82e68911f5ee1835d19cf49a736c1c35c2f6b4fcd48c3c6fcf7ff6958400d1e815c5e891e172af9035232175bb00e8a21f5a0590f02dc683f45a6c3d8b

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libcrypto-3.dll

MD5 72d867e8c7a84374aa72bf7feca4334e
SHA1 bbe4c42beb19a1f23bfbcfc5a67164d5ea29784e
SHA256 17d29b81faea714b5a93008711d92d1329b22244a2e9f56736064caa4fd3cd84
SHA512 b523df6ffe4a51180cdf2bda761b01a521391a6b24e081309c33c91835c19be96015b932d527822f5837802a979a3c48f5cc111892c47c082e8bcb8f2115ac3f

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.init_setting.ini

MD5 eb0d8eb4dc6b17d4c1a1a7c9d7f11cd1
SHA1 64dcaa8d1dde73f7815cad8aba5aad8a2e2b6a54
SHA256 720af1350c6ceaf2c57191e98e68a89cd32da05db2b63fb77036dfe657ccfc99
SHA512 f6555d5890eb41d8de4c3dd4b8347e123da381229228719aea2f7f7d89c43a301eb3d3fed8361fb3a7580ac88b189875d25d8c097af05bb625088fa88ffbc18e

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.cloudbuild.check

MD5 b5e0688b9ef0b96999920bbfa914308f
SHA1 1915a216e8dc9f2724caaa392e1991ae7cea481d
SHA256 1c3c30cee8b05a4bc58acd04a4ee1602c16093ca4ff056773c0dca6c57a287a1
SHA512 211305625a1c2730ea043a51d3769ee692607075501176b0afe19da351a563fa2b9832ce7fa7e6212312d1e47550d7d45cecdfcd99e7b287d7ddbff707502193

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.cloudbuild.check.rsa

MD5 b2bffc494793613698354acfcb792543
SHA1 a0d94d42a0f8f8872a94df3208a405dfd24717d9
SHA256 6a4d4f70cb5f6fdd67f34c4f65562e872724ba7e467f4c7553af0b22f06298cc
SHA512 1f984266a1c9c6baa356c3e6d44ae9ddc04c97990db232a075c1d88ba31b01a0881d36c62f14775943a2e062d4415cd1bd3e2b0cd75a09162f5bbf49091d3801

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRSocketCtrl.dll

MD5 0abd0b462f8e07c20af3719bc672a71c
SHA1 9bac3e016617fb3034e7b24080f200acc337ad17
SHA256 3aeae10915f253166fb4ebf11993ea7e2bccd2583979870633d8db13b3005b7f
SHA512 83063c919b8c6816fdac1c2593eb6e998f996ce1487ebf06f51fa5219d127aa966eb3d1d365d1c7a5369d99d042900c60465aa9d6515a7aef06a2bc70c7eed29

memory/4140-214-0x0000000073130000-0x000000007322D000-memory.dmp

memory/4140-216-0x0000000072FE0000-0x00000000730FC000-memory.dmp

memory/4140-219-0x0000000072C10000-0x0000000072FD4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.config.json

MD5 3648108659d7e98b1fdbbebc114f62d8
SHA1 5b9a1b9ff191652ee1b4d883434635909444cece
SHA256 48182f1c38a2c6b462db43c1f4010470887b27f21079b4e21f11464d0e3645ad
SHA512 7ca04d475a1b583abea6d777ae421ae6bc75706903b629bea768290e0b9cc5220c3b7f2be90f1aaafb5106daf68857224afac22a136a53fa73d94488c9e43ba5

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.splashtop.sostheme

MD5 0f250b439a055fa3ac9417889fe330f0
SHA1 50ad0d3207203e2c1347b8965b46f2490aa242a7
SHA256 148f9a17740a6d4607f8c3ef534a2effe33ccc3a80e1e2d3debf2e9fa98eb38f
SHA512 7db941fe501686b7f34057e1ab37761a742039a3d192da64e7876031eecb0477cbfd58bd1a6aa75b1b846d278315f8a5896e142e4c4141be1283e62455380ba7

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe

MD5 d8e1c8358050a62961004beb6d598ec8
SHA1 1c1bc7c986c445d3c9e77b8efac621cb7b2b569c
SHA256 603193ec2b0e96ec483c8eaa92a517b8f685fb72875d2c5bd7c79fb0e5d7c38c
SHA512 cfbc2dde98458831e83e9dcf3ded621a3e1b26f73bac3a743f71923373429e993b9af2e5e1c8b9602e68741a8dc7f0ddea62add1f1a3d5a12b0269ea8c5d55fd

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe

MD5 fb8af7753cb2a3583d8e5372e295f04d
SHA1 f232d9b86386399a5cf43a4e3247c22ef18b85c6
SHA256 bbc7e13444052825b3ae254c0f4e18660df1a954840a68e37eb70a9e37acf461
SHA512 8a5e8a2e91f4ab94596fa0f57a5d9b61f9e15b8127e84692eedff9e09ab1bc9d2611bc58fca70635ceb2f4b1bffc2c0f0431f61bfbecadfc0dfca7fda0aa5923

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe

MD5 13b2d865ec33421538e2466300e6cfc2
SHA1 d850b3621d8354270a548c2e55fc06379d49ea2c
SHA256 6761e45fa371e19dd77f1ab8cc715a93fa6221031d2b9424cda403728aa41ccb
SHA512 4bdc9eeb71d61ca3db71797a7d923fe9031ef2404cb3a88d41bdc3b2d80d080088cd49b14de2842d0e0593a52e3a9bb9d72e46268745ea7737de789a5c9edc3c

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\default.ico

MD5 7ea19dbf3cd6307e4f41de8d5a889fc2
SHA1 94e2571b2a40f72fe718455faeac22c082d7bd78
SHA256 4651be0a065afe6244247caeab505afba5096bd467269a3d2481691c00166e5b
SHA512 dc5be4513331392ea889bb9c9cb4d252de85d86603caff71fdef6c2a3e93750aa1c1c2be1a49171f95e2bc54eab653510ef500bf2aa44a792e42ab86e02dab62

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\swresample-2.dll

MD5 4a2f597c15ad595cfd83f8a34a0ab07a
SHA1 7f6481be6ddd959adde53251fa7e9283a01f0962
SHA256 5e756f0f1164b7519d2269aa85e43b435b5c7b92e65ed84e6051e75502f31804
SHA512 0e868ad546a6081de76b4a5cdcc7d457b2f0fb7239dc676c17c46a988a02696b12a9c3a85f627c76e6524f9a3ed25f2d9b8e8764d7e18fc708ead4475591946f

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\avutil-55.dll

MD5 a9a9d31764b50858a01b1fb228406f06
SHA1 7a313c46f049287045992f54f9d6eda9db568ef8
SHA256 c0babd7670124bb298d3ba6a8ee5ae33ad1030c08a18d8b8861f5d83003eb645
SHA512 164d5497aa91a5b4742a291f589400bc0b189af946615a2f04e6cfd1ed598a542f7521e4dd79aab99414846a3c391255309f911c247ef446a0483d9fab6efdfc

C:\Users\Admin\AppData\Local\Temp\splashtop\sos\01_sysinfo.txt

MD5 0a72685849a03a0d8a61cb18a19d2244
SHA1 188285b5f42be0df12133a1d44a8fa3703f26dd9
SHA256 b3194317153ad2ac984d87a137c83a3a18300df659b62337dc074cfe5511e5dd
SHA512 5f102772f8f277086fd097d51a6939846c14a283dfa8c6e7c9f94fa9ade576676e658b3692639993dfb7b7eb4f59385ab2fad31b38745547047821242dbeee66

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe

MD5 e6066e9e4aa21333b30fe304ea32d40a
SHA1 568ae6207f94314590c768d47346231e5118239c
SHA256 0a0b3845d467f3f9abce841a93dda696fe80cd261242cce863d3c6abd92f01cf
SHA512 fdf2f9a348d0b7f38857b87b8c5d0101a57bb4695c17ad8864f92266522879df2d3e6bfc90b2885b8ecc0dd76e317581232b3711611c6ae340b2260749731598

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\db\SRAgent.sqlite3

MD5 3e0ffcd7b39421a5fd445efaa3d3fdcc
SHA1 702017c615b86bcefcda46225ed1539823f11ce8
SHA256 c6a498ce9fa94f2bce7c05557278da1b5ef5b0015ee73c27454f6f40c75ed262
SHA512 06e6f52bc8fd23e09033a02450581850ae20c67cc8b128614eccb5d7f4b72bf46d3f7b54cf2fcccdea14f5747ac80408d5ff34d4eca3d8546df2fe250f34af40

C:\Windows\Temp\bd2_request_1559b2ee40ac030.bat

MD5 6882f381acb6d2eeb7f7e16923ae467e
SHA1 6fce3269da4976ccdbaadc8abff872fc79870bf3
SHA256 5b7d39e48aa33135b391697a5cd1e10c4536f2a05b11fac6ae50809d64924b00
SHA512 6322eb0e158f7bb843777bef5de1d6fff32ef7e2116a2ef9a2c343b74c52de3e88ab66ca0fdccf6b9400b689d0b786d5e5c1b0ff31c5b0dd1a85a891d7f1572b

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\fips.dll

MD5 68d8d459ee6a5027ffe35302b21d66fa
SHA1 91299e1ff75b293a18105fbdfcb2cde92a6c8507
SHA256 0ef5739fcc3850411e1db6af2e194e25c7e473bb950a387a7c851fe02660b4e8
SHA512 c032e6c057da58374ff51b50b2146e4b27eb6a18a452668eb2c78e3f4e729399f303873a2dc40f5910826a4f23146dfb851b62df3d5948a9039ec6ed23e53b32

memory/4140-314-0x0000000071B60000-0x0000000071D24000-memory.dmp

memory/4140-313-0x0000000073130000-0x000000007322D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\unpacksos\1\fips.cnf

MD5 e077993e994d28bbc7502681280c5551
SHA1 9c3b360f9e81ccf8c8b56be25e4ce9d67d1f61b4
SHA256 b8d539255fb1ea42ee3b06f0e314b037e35701e2b258272889d866dd3419526b
SHA512 b2fed3539bd94999f9f9a2cfebac6a3632212c10f3d97a5129e444fc548d1685877d0810790b71d342a4ef9080d1efc73bf7a9493b5ccbd93232231ee2251abe

memory/4140-316-0x0000000072FE0000-0x00000000730FC000-memory.dmp

memory/4140-317-0x0000000072C10000-0x0000000072FD4000-memory.dmp

memory/2040-318-0x0000000002CD0000-0x0000000002D06000-memory.dmp

memory/2040-319-0x00000000054B0000-0x0000000005AD8000-memory.dmp

memory/2040-320-0x00000000052E0000-0x0000000005302000-memory.dmp

memory/2040-321-0x0000000005BD0000-0x0000000005C36000-memory.dmp

memory/2040-322-0x0000000005CB0000-0x0000000005D16000-memory.dmp

C:\Windows\Temp\__PSScriptPolicyTest_mgli51fr.zwd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4140-332-0x0000000073130000-0x000000007322D000-memory.dmp

memory/4140-335-0x0000000071B60000-0x0000000071D24000-memory.dmp

memory/4140-333-0x0000000072FE0000-0x00000000730FC000-memory.dmp

memory/2040-336-0x0000000005E20000-0x0000000006174000-memory.dmp

memory/2040-337-0x00000000062A0000-0x00000000062BE000-memory.dmp

memory/4140-334-0x0000000072C10000-0x0000000072FD4000-memory.dmp

memory/2040-338-0x00000000062E0000-0x000000000632C000-memory.dmp

memory/4552-339-0x0000000073130000-0x000000007322D000-memory.dmp

memory/2040-340-0x00000000079F0000-0x000000000806A000-memory.dmp

memory/2040-341-0x00000000067D0000-0x00000000067EA000-memory.dmp

memory/4552-342-0x0000000072FE0000-0x00000000730FC000-memory.dmp

memory/4552-346-0x0000000072C10000-0x0000000072FD4000-memory.dmp

memory/2040-358-0x0000000007290000-0x00000000072A8000-memory.dmp

memory/2040-359-0x0000000008070000-0x0000000008232000-memory.dmp

memory/2040-360-0x000000000A3E0000-0x000000000A90C000-memory.dmp