Analysis Overview
SHA256
6ea0b2cf655c6bf0c44dac0b9ab0fc97c2ee52b4873f48cb1243616a59669a46
Threat Level: Shows suspicious behavior
The file 2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid was found to be: Shows suspicious behavior.
Malicious Activity Summary
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Drops file in System32 directory
Checks computer location settings
Drops file in Windows directory
Checks installed software on the system
Loads dropped DLL
Executes dropped EXE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Command and Scripting Interpreter: PowerShell
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Checks SCSI registry key(s)
Modifies system certificate store
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 12:03
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 12:03
Reported
2024-11-13 12:06
Platform
win7-20241010-en
Max time kernel
151s
Max time network
129s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\DPX\setupact.log | C:\Windows\system32\expand.exe | N/A |
| File opened for modification | C:\Windows\Logs\DPX\setuperr.log | C:\Windows\system32\expand.exe | N/A |
| File opened for modification | C:\Windows\WindowsUpdate.log | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication\Name = "SRFeatureSOS.exe" | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\GDIPlus\FontCachePath = "C:\\Users\\Admin\\AppData\\Local" | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\GDIPlus | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee404000000010000001000000091de0625abdafd32170cbb25172a846720000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c C:\Windows\system32\expand.exe *.cab /f:* .\
C:\Windows\system32\expand.exe
C:\Windows\system32\expand.exe *.cab /f:* .\
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1
C:\Windows\system32\schtasks.exe
schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "
C:\Windows\system32\schtasks.exe
schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c schtasks /run /tn ASOS1
C:\Windows\system32\schtasks.exe
schtasks /run /tn ASOS1
C:\Windows\system32\taskeng.exe
taskeng.exe {160D17E6-8CEC-4B9A-9B3A-3B2BF6D3A739} S-1-5-18:NT AUTHORITY\System:Service:
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c schtasks /delete /f /tn ASOS1
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn ASOS1
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe SRManagerSOS.exe 1
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
"SRManagerSOS.exe"
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe
SRServerSOS.exe -s
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
"C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe"
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe
"C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe"
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe
"C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe"
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe
SRUtilitySOS.exe -r
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\Temp\bd2_request_2ff16a09ec9c00.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | st-lookup-v1-sos-srs-win-3700-g3.api.splashtop.com | udp |
| US | 76.223.35.50:443 | st-lookup-v1-sos-srs-win-3700-g3.api.splashtop.com | tcp |
| US | 8.8.8.8:53 | st-lookup-v1-sos-srs-win-3700-g3.api.splashtop.com | udp |
| US | 8.8.8.8:53 | st-lookup-v1-sos-srs-win-3700.api.splashtop.com | udp |
| US | 52.223.42.244:443 | st-lookup-v1-sos-srs-win-3700.api.splashtop.com | tcp |
| US | 8.8.8.8:53 | st-v3-sos-srs-win-3700.api.splashtop.eu | udp |
| DE | 52.57.96.131:443 | st-v3-sos-srs-win-3700.api.splashtop.eu | tcp |
| US | 8.8.8.8:53 | st-relay-v3-sos-srs-win-3700.api.splashtop.eu | udp |
| DE | 18.194.23.159:443 | st-relay-v3-sos-srs-win-3700.api.splashtop.eu | tcp |
| US | 8.8.8.8:53 | 132-145-44-30.relay.splashtop.com | udp |
| GB | 132.145.44.30:443 | 132-145-44-30.relay.splashtop.com | tcp |
| US | 8.8.8.8:53 | 3-254-92-28.relay.splashtop.com | udp |
| US | 8.8.8.8:53 | 134-65-58-97.relay.splashtop.com | udp |
| US | 8.8.8.8:53 | 140-238-72-181.relay.splashtop.com | udp |
| US | 8.8.8.8:53 | 34-147-188-244.relay.splashtop.com | udp |
| US | 8.8.8.8:53 | 3-8-123-23.relay.splashtop.com | udp |
| IE | 3.254.92.28:443 | 3-254-92-28.relay.splashtop.com | tcp |
| GB | 134.65.58.97:443 | 134-65-58-97.relay.splashtop.com | tcp |
| GB | 34.147.188.244:443 | 34-147-188-244.relay.splashtop.com | tcp |
| GB | 140.238.72.181:443 | 140-238-72-181.relay.splashtop.com | tcp |
| GB | 3.8.123.23:443 | 3-8-123-23.relay.splashtop.com | tcp |
| N/A | 127.0.0.1:49581 | tcp | |
| N/A | 127.0.0.1:49583 | tcp | |
| N/A | 127.0.0.1:49585 | tcp | |
| N/A | 127.0.0.1:49588 | tcp | |
| N/A | 127.0.0.1:49590 | tcp | |
| GB | 3.8.123.23:443 | 3-8-123-23.relay.splashtop.com | tcp |
| GB | 140.238.72.181:443 | 140-238-72-181.relay.splashtop.com | tcp |
| GB | 134.65.58.97:443 | 134-65-58-97.relay.splashtop.com | tcp |
| GB | 34.147.188.244:443 | 34-147-188-244.relay.splashtop.com | tcp |
| IE | 3.254.92.28:443 | 3-254-92-28.relay.splashtop.com | tcp |
| N/A | 127.0.0.1:49609 | tcp | |
| N/A | 127.0.0.1:49611 | tcp | |
| N/A | 127.0.0.1:49613 | tcp | |
| N/A | 127.0.0.1:49616 | tcp | |
| N/A | 127.0.0.1:49620 | tcp | |
| GB | 134.65.58.97:443 | 134-65-58-97.relay.splashtop.com | tcp |
| IE | 3.254.92.28:443 | 3-254-92-28.relay.splashtop.com | tcp |
| GB | 3.8.123.23:443 | 3-8-123-23.relay.splashtop.com | tcp |
| GB | 34.147.188.244:443 | 34-147-188-244.relay.splashtop.com | tcp |
| GB | 140.238.72.181:443 | 140-238-72-181.relay.splashtop.com | tcp |
| N/A | 127.0.0.1:49634 | tcp | |
| N/A | 127.0.0.1:49636 | tcp | |
| N/A | 127.0.0.1:49638 | tcp | |
| N/A | 127.0.0.1:49641 | tcp | |
| N/A | 127.0.0.1:49643 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\unpack1.log
| MD5 | d49cde454673a977538d2774b092ede1 |
| SHA1 | 61533aafe31532cdf4fda09bc20914aabe09e255 |
| SHA256 | 3d5cb4d9bcc50beebd5681e72d7c43c97d6ba1bc8c0aadf37d6705c8c6a27226 |
| SHA512 | 1e10dbc9cecf634c251466f1f02c24ed53ca587f1727df1a36bdbd060b867f19cf51c638a071f944e7e9c7d92987025562496e7ca6234f4bfb274687144617ba |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\streamer1.cab
| MD5 | ee7c1fa035cac997ff78b2a8d77b19c3 |
| SHA1 | 9ed41bd57a4af443ed246693da7b66a96c181cb3 |
| SHA256 | ad125dfb7cea109cd265c27e70db7c1fd334b491d3e6c261caf9416c37e117af |
| SHA512 | ef9eac2b09b130993561975a96a7941710ab4781271ce5e9618f085c283df8988f83f05070100251f36660b172853b96bff2c5bd65817686d3476e4fc2217f84 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRClient.pem
| MD5 | a8b2b3d6c831f120ce624cff48156558 |
| SHA1 | 202db3bd86f48c2a8779d079716b8cc5363edece |
| SHA256 | 33fe8889070b91c3c2e234db8494fcc174ecc69cfff3d0bc4f6a59b39c500484 |
| SHA512 | 3b1fc8910b462ea2e3080418428795ca63075163e1e42a7136fa688aa2e130f5d3088ab27d18395c8c0a4d76bdc5ed95356255b8c29d49116e4743d269c97bf9 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\ASOS.xml
| MD5 | 8ce869f7dbbb2e38c8de76716e49b8a5 |
| SHA1 | de73a6b80fca67b06a7e1fec1904095d61b7b864 |
| SHA256 | 1008bce6f93a3863164b0fea34bea07bd6ce304dffafac5615dc52bbb675bd47 |
| SHA512 | 98afa1fe513beb31bca44e56fe40f0a049d3bb0ccc7cf4997b8fb2631774131c7232072e733674a3ed6771201d53788e94d595e8254a5ffc4d6cc45ff93417af |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe
| MD5 | 2def326d4f3ad50a7abb0f20944405fc |
| SHA1 | c99b7a01019992e4180a5a9d67a8f30a5bda46d7 |
| SHA256 | ed259409860bc916cc26af1fcb8de0fb455607dd1056d3e530c29614435c3092 |
| SHA512 | 43bf3d1958d1bb1bbeecfff70ca7309509af2ec346763e92521c128b786ce8c6063a5339693ad129966965d926107eaeddc9de9abd9bf0c2580bd3ec2ab3ceb4 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe
| MD5 | 3e76e9316ef4786a23fb89f0c2b675ae |
| SHA1 | b97760551fbaf04f95efb41fb5e6223327fac922 |
| SHA256 | a3e723d732b9ba96fb6d639ae3ac38e90e7b8039bd575814c57ca76d0f95a7af |
| SHA512 | 5a78f1cc980c3da7e5f844282c23f724c70ec8ed48ccafb2c39e4fc3f183e4660ff263bc2036f493587142098e180a1ac452ff32036a31ac71729db5a248049d |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
| MD5 | c99c8787347caef751fba46a2bc529fc |
| SHA1 | 6c2051fa486b673b9ffd01dae98ae6ec263be390 |
| SHA256 | ad072ff07a42bcd2e09023024ee87a9803373a17e41926f90463a9350877cf20 |
| SHA512 | 99bd7d6589a56ffdb50b498198254fea1333753f179ee042f9dc3d248bb3ff7c3d613353015ad145308d7f67376b85154a725f17ff6b0a513668a23e23caa5a5 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\dbghelp.dll
| MD5 | eeda10135ede6edb5c85df3bd878e557 |
| SHA1 | 8a1059dfd641269945e7a2710b684881bb63e8d2 |
| SHA256 | 4b890de3708716d81c1c719b498734339d417e8ffc4955d81483d1ebc0f84697 |
| SHA512 | a56bfc73537e36efba8e09ffd0b2f6bfc56bc4cb4fe90b52858c7afd5d67db23ccba51c8097befe4ecb5082ba66c2b2612e2975ef3448252c48b97f41d12d591 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libssl-3.dll
| MD5 | 99a6a9656da926af8aa648d50b47dcfb |
| SHA1 | 81db96003bd8f63250abc7e59fb35e0227d3f28a |
| SHA256 | fdf1f9d0af4ff8e5cbd4387d6849327e91f0eedd1befe58d7dd8b6ec40e90a98 |
| SHA512 | 16e850fdabf76a11ed4176e0fd57dafb64faf9551ea220d003c5a86aff8c39ab40d66f7ac7fcc6ef71cfa7e1d6268bbc23e32aa5cf69df58a5d05f666701f3c0 |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libcrypto-3.dll
| MD5 | 72d867e8c7a84374aa72bf7feca4334e |
| SHA1 | bbe4c42beb19a1f23bfbcfc5a67164d5ea29784e |
| SHA256 | 17d29b81faea714b5a93008711d92d1329b22244a2e9f56736064caa4fd3cd84 |
| SHA512 | b523df6ffe4a51180cdf2bda761b01a521391a6b24e081309c33c91835c19be96015b932d527822f5837802a979a3c48f5cc111892c47c082e8bcb8f2115ac3f |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.cloudbuild.check.rsa
| MD5 | b2bffc494793613698354acfcb792543 |
| SHA1 | a0d94d42a0f8f8872a94df3208a405dfd24717d9 |
| SHA256 | 6a4d4f70cb5f6fdd67f34c4f65562e872724ba7e467f4c7553af0b22f06298cc |
| SHA512 | 1f984266a1c9c6baa356c3e6d44ae9ddc04c97990db232a075c1d88ba31b01a0881d36c62f14775943a2e062d4415cd1bd3e2b0cd75a09162f5bbf49091d3801 |
\Users\Admin\AppData\Local\Temp\unpacksos\1\SRSocketCtrl.dll
| MD5 | 0abd0b462f8e07c20af3719bc672a71c |
| SHA1 | 9bac3e016617fb3034e7b24080f200acc337ad17 |
| SHA256 | 3aeae10915f253166fb4ebf11993ea7e2bccd2583979870633d8db13b3005b7f |
| SHA512 | 83063c919b8c6816fdac1c2593eb6e998f996ce1487ebf06f51fa5219d127aa966eb3d1d365d1c7a5369d99d042900c60465aa9d6515a7aef06a2bc70c7eed29 |
memory/984-238-0x00000000737B0000-0x00000000738AD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.cloudbuild.check
| MD5 | b5e0688b9ef0b96999920bbfa914308f |
| SHA1 | 1915a216e8dc9f2724caaa392e1991ae7cea481d |
| SHA256 | 1c3c30cee8b05a4bc58acd04a4ee1602c16093ca4ff056773c0dca6c57a287a1 |
| SHA512 | 211305625a1c2730ea043a51d3769ee692607075501176b0afe19da351a563fa2b9832ce7fa7e6212312d1e47550d7d45cecdfcd99e7b287d7ddbff707502193 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.init_setting.ini
| MD5 | eb0d8eb4dc6b17d4c1a1a7c9d7f11cd1 |
| SHA1 | 64dcaa8d1dde73f7815cad8aba5aad8a2e2b6a54 |
| SHA256 | 720af1350c6ceaf2c57191e98e68a89cd32da05db2b63fb77036dfe657ccfc99 |
| SHA512 | f6555d5890eb41d8de4c3dd4b8347e123da381229228719aea2f7f7d89c43a301eb3d3fed8361fb3a7580ac88b189875d25d8c097af05bb625088fa88ffbc18e |
memory/984-240-0x0000000073650000-0x000000007376C000-memory.dmp
memory/984-244-0x0000000072F80000-0x0000000073344000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.config.json
| MD5 | 3648108659d7e98b1fdbbebc114f62d8 |
| SHA1 | 5b9a1b9ff191652ee1b4d883434635909444cece |
| SHA256 | 48182f1c38a2c6b462db43c1f4010470887b27f21079b4e21f11464d0e3645ad |
| SHA512 | 7ca04d475a1b583abea6d777ae421ae6bc75706903b629bea768290e0b9cc5220c3b7f2be90f1aaafb5106daf68857224afac22a136a53fa73d94488c9e43ba5 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.splashtop.sostheme
| MD5 | 0f250b439a055fa3ac9417889fe330f0 |
| SHA1 | 50ad0d3207203e2c1347b8965b46f2490aa242a7 |
| SHA256 | 148f9a17740a6d4607f8c3ef534a2effe33ccc3a80e1e2d3debf2e9fa98eb38f |
| SHA512 | 7db941fe501686b7f34057e1ab37761a742039a3d192da64e7876031eecb0477cbfd58bd1a6aa75b1b846d278315f8a5896e142e4c4141be1283e62455380ba7 |
\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe
| MD5 | d8e1c8358050a62961004beb6d598ec8 |
| SHA1 | 1c1bc7c986c445d3c9e77b8efac621cb7b2b569c |
| SHA256 | 603193ec2b0e96ec483c8eaa92a517b8f685fb72875d2c5bd7c79fb0e5d7c38c |
| SHA512 | cfbc2dde98458831e83e9dcf3ded621a3e1b26f73bac3a743f71923373429e993b9af2e5e1c8b9602e68741a8dc7f0ddea62add1f1a3d5a12b0269ea8c5d55fd |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe
| MD5 | 13b2d865ec33421538e2466300e6cfc2 |
| SHA1 | d850b3621d8354270a548c2e55fc06379d49ea2c |
| SHA256 | 6761e45fa371e19dd77f1ab8cc715a93fa6221031d2b9424cda403728aa41ccb |
| SHA512 | 4bdc9eeb71d61ca3db71797a7d923fe9031ef2404cb3a88d41bdc3b2d80d080088cd49b14de2842d0e0593a52e3a9bb9d72e46268745ea7737de789a5c9edc3c |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
| MD5 | fb8af7753cb2a3583d8e5372e295f04d |
| SHA1 | f232d9b86386399a5cf43a4e3247c22ef18b85c6 |
| SHA256 | bbc7e13444052825b3ae254c0f4e18660df1a954840a68e37eb70a9e37acf461 |
| SHA512 | 8a5e8a2e91f4ab94596fa0f57a5d9b61f9e15b8127e84692eedff9e09ab1bc9d2611bc58fca70635ceb2f4b1bffc2c0f0431f61bfbecadfc0dfca7fda0aa5923 |
memory/3068-262-0x0000000072F80000-0x0000000073344000-memory.dmp
memory/3068-261-0x0000000073650000-0x000000007376C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\swresample-2.dll
| MD5 | 4a2f597c15ad595cfd83f8a34a0ab07a |
| SHA1 | 7f6481be6ddd959adde53251fa7e9283a01f0962 |
| SHA256 | 5e756f0f1164b7519d2269aa85e43b435b5c7b92e65ed84e6051e75502f31804 |
| SHA512 | 0e868ad546a6081de76b4a5cdcc7d457b2f0fb7239dc676c17c46a988a02696b12a9c3a85f627c76e6524f9a3ed25f2d9b8e8764d7e18fc708ead4475591946f |
\Users\Admin\AppData\Local\Temp\unpacksos\1\avutil-55.dll
| MD5 | a9a9d31764b50858a01b1fb228406f06 |
| SHA1 | 7a313c46f049287045992f54f9d6eda9db568ef8 |
| SHA256 | c0babd7670124bb298d3ba6a8ee5ae33ad1030c08a18d8b8861f5d83003eb645 |
| SHA512 | 164d5497aa91a5b4742a291f589400bc0b189af946615a2f04e6cfd1ed598a542f7521e4dd79aab99414846a3c391255309f911c247ef446a0483d9fab6efdfc |
C:\Users\Admin\AppData\Local\Temp\splashtop\sos\01_sysinfo.txt
| MD5 | 71b65d662f2c41047adb5ba12a021a1b |
| SHA1 | 79f205cb18772e68b9858186b479b0f418d2b654 |
| SHA256 | 5bc5b5556c65a2d37995e327146945f2489b2fbe0aeaad577625fed0b18ec947 |
| SHA512 | bc9c35fd0e2dfcc799c8e59763301534b6a44585157cd12a1b76ea9cb0555377582aaf8c5a9c61ecb69ea4dc75a22fd883f6c047c5fbc5fbb0fc7b2eaeebd04f |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe
| MD5 | e6066e9e4aa21333b30fe304ea32d40a |
| SHA1 | 568ae6207f94314590c768d47346231e5118239c |
| SHA256 | 0a0b3845d467f3f9abce841a93dda696fe80cd261242cce863d3c6abd92f01cf |
| SHA512 | fdf2f9a348d0b7f38857b87b8c5d0101a57bb4695c17ad8864f92266522879df2d3e6bfc90b2885b8ecc0dd76e317581232b3711611c6ae340b2260749731598 |
memory/984-300-0x00000000737B0000-0x00000000738AD000-memory.dmp
memory/984-301-0x0000000073650000-0x000000007376C000-memory.dmp
memory/984-302-0x0000000072F80000-0x0000000073344000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\db\SRAgent.sqlite3
| MD5 | 5b5fd60d84774118ec007a9abffb5aa9 |
| SHA1 | 858c897462321c9f7a6f50f4b83ef05158a2ea4a |
| SHA256 | d85751b4998e60e9d8916f88d4c0a9b2c307e8e21eb16f793d1e08e9b794b643 |
| SHA512 | ca08a407764117f672d288466c9ccff1b61011c88f44bcc36690bbfb1365b1d8a5e14e3ed2ff76bb619259260980f82156e4de7ba49e5a8107829090cfa232f1 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\default.ico
| MD5 | 7ea19dbf3cd6307e4f41de8d5a889fc2 |
| SHA1 | 94e2571b2a40f72fe718455faeac22c082d7bd78 |
| SHA256 | 4651be0a065afe6244247caeab505afba5096bd467269a3d2481691c00166e5b |
| SHA512 | dc5be4513331392ea889bb9c9cb4d252de85d86603caff71fdef6c2a3e93750aa1c1c2be1a49171f95e2bc54eab653510ef500bf2aa44a792e42ab86e02dab62 |
C:\Windows\Temp\TarB1E6.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Windows\Temp\bd2_request_2ff16a09ec9c00.bat
| MD5 | 212ef776ee1726adbdffb957a927e5cb |
| SHA1 | 43f53fa272e63f79f45e1923aca1a008db42b654 |
| SHA256 | c3e75662a50969217ed4aaaa74595257c26ce4bc6bbc322d19e6b53d42e8bd42 |
| SHA512 | 4a35f57af34337fd9a9d1eae1f15848174e7045668094ea4159fa8b310f69e2946591e788b050dd96651c0266413483ce1f8e5b53e911f1829c39edc0269a38d |
memory/3068-356-0x00000000737B0000-0x00000000738AD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\fips.cnf
| MD5 | e077993e994d28bbc7502681280c5551 |
| SHA1 | 9c3b360f9e81ccf8c8b56be25e4ce9d67d1f61b4 |
| SHA256 | b8d539255fb1ea42ee3b06f0e314b037e35701e2b258272889d866dd3419526b |
| SHA512 | b2fed3539bd94999f9f9a2cfebac6a3632212c10f3d97a5129e444fc548d1685877d0810790b71d342a4ef9080d1efc73bf7a9493b5ccbd93232231ee2251abe |
memory/3068-363-0x0000000073650000-0x000000007376C000-memory.dmp
\Users\Admin\AppData\Local\Temp\unpacksos\1\fips.dll
| MD5 | 68d8d459ee6a5027ffe35302b21d66fa |
| SHA1 | 91299e1ff75b293a18105fbdfcb2cde92a6c8507 |
| SHA256 | 0ef5739fcc3850411e1db6af2e194e25c7e473bb950a387a7c851fe02660b4e8 |
| SHA512 | c032e6c057da58374ff51b50b2146e4b27eb6a18a452668eb2c78e3f4e729399f303873a2dc40f5910826a4f23146dfb851b62df3d5948a9039ec6ed23e53b32 |
memory/3068-364-0x0000000072F80000-0x0000000073344000-memory.dmp
memory/984-365-0x00000000727F0000-0x00000000729B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libcurl.dll
| MD5 | 278d7f9c9a7526f35e1774cca0059c36 |
| SHA1 | 423f1ebd3cbd52046a16538d6baa17076610cb2f |
| SHA256 | 12177dae5e123526e96023a48752ae0cb47e9f6eeafc20960f5a95ca6052d1b8 |
| SHA512 | 75f8c4856fb04b2d5e491f32584f0aaefa0d42356e12320cbcb67df48e59c7f644512c2c5146fd7791c2ccb770fd709a8d8e4c72eafb74c39e1336accb49a044 |
memory/984-371-0x0000000072700000-0x00000000727E9000-memory.dmp
memory/984-373-0x00000000737B0000-0x00000000738AD000-memory.dmp
memory/984-375-0x0000000072F80000-0x0000000073344000-memory.dmp
memory/984-374-0x0000000073650000-0x000000007376C000-memory.dmp
memory/984-385-0x00000000725C0000-0x00000000726A9000-memory.dmp
memory/984-394-0x00000000724D0000-0x00000000725B9000-memory.dmp
memory/3068-399-0x00000000737B0000-0x00000000738AD000-memory.dmp
memory/3068-401-0x0000000072F80000-0x0000000073344000-memory.dmp
memory/3068-400-0x0000000073650000-0x000000007376C000-memory.dmp
memory/984-426-0x0000000072F80000-0x0000000073344000-memory.dmp
memory/984-427-0x00000000727F0000-0x00000000729B4000-memory.dmp
memory/984-424-0x00000000737B0000-0x00000000738AD000-memory.dmp
memory/984-425-0x0000000073650000-0x000000007376C000-memory.dmp
memory/984-433-0x0000000072F80000-0x0000000073344000-memory.dmp
memory/984-434-0x00000000727F0000-0x00000000729B4000-memory.dmp
memory/984-431-0x00000000737B0000-0x00000000738AD000-memory.dmp
memory/984-432-0x0000000073650000-0x000000007376C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 12:03
Reported
2024-11-13 12:05
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
143s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\LOGS\DPX\setuperr.log | C:\Windows\system32\expand.exe | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setupact.log | C:\Windows\system32\expand.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe | N/A |
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-13_08bfcb7b2d9d752db8a85196c61f14fd_icedid.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c C:\Windows\system32\expand.exe *.cab /f:* .\
C:\Windows\system32\expand.exe
C:\Windows\system32\expand.exe *.cab /f:* .\
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1
C:\Windows\system32\schtasks.exe
schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "
C:\Windows\system32\schtasks.exe
schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c schtasks /run /tn ASOS1
C:\Windows\system32\schtasks.exe
schtasks /run /tn ASOS1
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe SRManagerSOS.exe 1
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c schtasks /delete /f /tn ASOS1
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn ASOS1
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
"SRManagerSOS.exe"
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe
SRServerSOS.exe -s
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
"C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe"
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe
"C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe"
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe
"C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe"
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe
SRUtilitySOS.exe -r
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Temp\bd2_request_1559b2ee40ac030.bat
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c chcp 65001&&powershell.exe -Command "$Session = New-Object -ComObject Microsoft.Update.Session;$Searcher = $Session.CreateUpdateSearcher();$Res = $Searcher.search(\"IsInstalled = 0 And DeploymentAction=*\");$array = @();foreach($update in $Res.Updates) {$line = \"\" | select kbid, title, desc, updateId, category, severity, important, eulaAccepted, maxSize, minSize, type, releaseDate, rebootRequired;$line.title = $update.Title;$line.desc = $update.Description;$line.updateId = $update.Identity.UpdateID;$line.category = \"\";foreach($category in $update.Categories) { $line.category += \"$($category.CategoryID),\" };$line.kbid = $update.KBArticleIDs -join ' ';$line.severity = $update.MsrcSeverity;$line.important = $update.AutoSelectOnWebSites;$line.eulaAccepted = $update.EulaAccepted;$line.maxSize = $update.MaxDownloadSize;$line.minSize = $update.MinDownloadSize;$line.type = $update.Type;$line.releaseDate = $update.LastDeploymentChangeTime.toString(\"yyyy:MM:dd hh:mm:ss\");$line.rebootRequired = $update.RebootRequired;$array += $line;};ConvertTo-Json $array;"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "$Session = New-Object -ComObject Microsoft.Update.Session;$Searcher = $Session.CreateUpdateSearcher();$Res = $Searcher.search(\"IsInstalled = 0 And DeploymentAction=*\");$array = @();foreach($update in $Res.Updates) {$line = \"\" | select kbid, title, desc, updateId, category, severity, important, eulaAccepted, maxSize, minSize, type, releaseDate, rebootRequired;$line.title = $update.Title;$line.desc = $update.Description;$line.updateId = $update.Identity.UpdateID;$line.category = \"\";foreach($category in $update.Categories) { $line.category += \"$($category.CategoryID),\" };$line.kbid = $update.KBArticleIDs -join ' ';$line.severity = $update.MsrcSeverity;$line.important = $update.AutoSelectOnWebSites;$line.eulaAccepted = $update.EulaAccepted;$line.maxSize = $update.MaxDownloadSize;$line.minSize = $update.MinDownloadSize;$line.type = $update.Type;$line.releaseDate = $update.LastDeploymentChangeTime.toString(\"yyyy:MM:dd hh:mm:ss\");$line.rebootRequired = $update.RebootRequired;$array += $line;};ConvertTo-Json $array;"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | st-lookup-v1-sos-srs-win-3700-g3.api.splashtop.com | udp |
| US | 76.223.35.50:443 | st-lookup-v1-sos-srs-win-3700-g3.api.splashtop.com | tcp |
| US | 8.8.8.8:53 | st-v3-sos-srs-win-3700-g3.api.splashtop.eu | udp |
| DE | 3.125.79.75:443 | st-v3-sos-srs-win-3700-g3.api.splashtop.eu | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.35.223.76.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.79.125.3.in-addr.arpa | udp |
| DE | 3.125.79.75:443 | st-v3-sos-srs-win-3700-g3.api.splashtop.eu | tcp |
| DE | 3.125.79.75:443 | st-v3-sos-srs-win-3700-g3.api.splashtop.eu | tcp |
| US | 8.8.8.8:53 | st-relay-v3-sos-srs-win-3700-g3.api.splashtop.eu | udp |
| DE | 18.185.231.156:443 | st-relay-v3-sos-srs-win-3700-g3.api.splashtop.eu | tcp |
| DE | 3.125.79.75:443 | st-v3-sos-srs-win-3700-g3.api.splashtop.eu | tcp |
| US | 8.8.8.8:53 | 140-238-79-96.relay.splashtop.com | udp |
| GB | 140.238.79.96:443 | 140-238-79-96.relay.splashtop.com | tcp |
| DE | 3.125.79.75:443 | st-v3-sos-srs-win-3700-g3.api.splashtop.eu | tcp |
| US | 8.8.8.8:53 | 156.231.185.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.79.238.140.in-addr.arpa | udp |
| DE | 3.125.79.75:443 | st-v3-sos-srs-win-3700-g3.api.splashtop.eu | tcp |
| US | 8.8.8.8:53 | 134-65-58-97.relay.splashtop.com | udp |
| US | 8.8.8.8:53 | 35-177-75-182.relay.splashtop.com | udp |
| US | 8.8.8.8:53 | 54-217-182-57.relay.splashtop.com | udp |
| US | 8.8.8.8:53 | 35-197-220-128.relay.splashtop.com | udp |
| US | 8.8.8.8:53 | 132-145-54-27.relay.splashtop.com | udp |
| GB | 35.177.75.182:443 | 35-177-75-182.relay.splashtop.com | tcp |
| GB | 35.197.220.128:443 | 35-197-220-128.relay.splashtop.com | tcp |
| GB | 134.65.58.97:443 | 134-65-58-97.relay.splashtop.com | tcp |
| IE | 54.217.182.57:443 | 54-217-182-57.relay.splashtop.com | tcp |
| GB | 132.145.54.27:443 | 132-145-54-27.relay.splashtop.com | tcp |
| US | 8.8.8.8:53 | 27.54.145.132.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 128.220.197.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.75.177.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.58.65.134.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.182.217.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fe2cr.update.microsoft.com | udp |
| US | 52.252.198.191:443 | fe2cr.update.microsoft.com | tcp |
| US | 8.8.8.8:53 | 191.198.252.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download.windowsupdate.com | udp |
| US | 199.232.210.172:80 | download.windowsupdate.com | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| IE | 54.217.182.57:443 | 54-217-182-57.relay.splashtop.com | tcp |
| GB | 134.65.58.97:443 | 134-65-58-97.relay.splashtop.com | tcp |
| GB | 35.177.75.182:443 | 35-177-75-182.relay.splashtop.com | tcp |
| GB | 132.145.54.27:443 | 132-145-54-27.relay.splashtop.com | tcp |
| GB | 35.197.220.128:443 | 35-197-220-128.relay.splashtop.com | tcp |
| IE | 54.217.182.57:443 | 54-217-182-57.relay.splashtop.com | tcp |
| GB | 35.197.220.128:443 | 35-197-220-128.relay.splashtop.com | tcp |
| GB | 132.145.54.27:443 | 132-145-54-27.relay.splashtop.com | tcp |
| GB | 134.65.58.97:443 | 134-65-58-97.relay.splashtop.com | tcp |
| GB | 35.177.75.182:443 | 35-177-75-182.relay.splashtop.com | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\unpack1.log
| MD5 | 92d3b651eb8018a7ec02976f1650176a |
| SHA1 | 88e8eb86e939ce079b6ff23ca2c4cc29577eeebe |
| SHA256 | cb861ca416b7ce0336fe9d6c40a89d5a16269989e507ad5d7971185586b302d5 |
| SHA512 | f44fcd1694016bb70964e359573667533390f5b2a602ff17f25889919b97179d58970adf00439451f548b552219bacb0f8669615c99ee73faeef343463932797 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\streamer1.cab
| MD5 | ee7c1fa035cac997ff78b2a8d77b19c3 |
| SHA1 | 9ed41bd57a4af443ed246693da7b66a96c181cb3 |
| SHA256 | ad125dfb7cea109cd265c27e70db7c1fd334b491d3e6c261caf9416c37e117af |
| SHA512 | ef9eac2b09b130993561975a96a7941710ab4781271ce5e9618f085c283df8988f83f05070100251f36660b172853b96bff2c5bd65817686d3476e4fc2217f84 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRClient.pem
| MD5 | a8b2b3d6c831f120ce624cff48156558 |
| SHA1 | 202db3bd86f48c2a8779d079716b8cc5363edece |
| SHA256 | 33fe8889070b91c3c2e234db8494fcc174ecc69cfff3d0bc4f6a59b39c500484 |
| SHA512 | 3b1fc8910b462ea2e3080418428795ca63075163e1e42a7136fa688aa2e130f5d3088ab27d18395c8c0a4d76bdc5ed95356255b8c29d49116e4743d269c97bf9 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\ASOS.xml
| MD5 | 8ce869f7dbbb2e38c8de76716e49b8a5 |
| SHA1 | de73a6b80fca67b06a7e1fec1904095d61b7b864 |
| SHA256 | 1008bce6f93a3863164b0fea34bea07bd6ce304dffafac5615dc52bbb675bd47 |
| SHA512 | 98afa1fe513beb31bca44e56fe40f0a049d3bb0ccc7cf4997b8fb2631774131c7232072e733674a3ed6771201d53788e94d595e8254a5ffc4d6cc45ff93417af |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe
| MD5 | 2def326d4f3ad50a7abb0f20944405fc |
| SHA1 | c99b7a01019992e4180a5a9d67a8f30a5bda46d7 |
| SHA256 | ed259409860bc916cc26af1fcb8de0fb455607dd1056d3e530c29614435c3092 |
| SHA512 | 43bf3d1958d1bb1bbeecfff70ca7309509af2ec346763e92521c128b786ce8c6063a5339693ad129966965d926107eaeddc9de9abd9bf0c2580bd3ec2ab3ceb4 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
| MD5 | c99c8787347caef751fba46a2bc529fc |
| SHA1 | 6c2051fa486b673b9ffd01dae98ae6ec263be390 |
| SHA256 | ad072ff07a42bcd2e09023024ee87a9803373a17e41926f90463a9350877cf20 |
| SHA512 | 99bd7d6589a56ffdb50b498198254fea1333753f179ee042f9dc3d248bb3ff7c3d613353015ad145308d7f67376b85154a725f17ff6b0a513668a23e23caa5a5 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\dbghelp.dll
| MD5 | eeda10135ede6edb5c85df3bd878e557 |
| SHA1 | 8a1059dfd641269945e7a2710b684881bb63e8d2 |
| SHA256 | 4b890de3708716d81c1c719b498734339d417e8ffc4955d81483d1ebc0f84697 |
| SHA512 | a56bfc73537e36efba8e09ffd0b2f6bfc56bc4cb4fe90b52858c7afd5d67db23ccba51c8097befe4ecb5082ba66c2b2612e2975ef3448252c48b97f41d12d591 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe
| MD5 | 3e76e9316ef4786a23fb89f0c2b675ae |
| SHA1 | b97760551fbaf04f95efb41fb5e6223327fac922 |
| SHA256 | a3e723d732b9ba96fb6d639ae3ac38e90e7b8039bd575814c57ca76d0f95a7af |
| SHA512 | 5a78f1cc980c3da7e5f844282c23f724c70ec8ed48ccafb2c39e4fc3f183e4660ff263bc2036f493587142098e180a1ac452ff32036a31ac71729db5a248049d |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libssl-3.dll
| MD5 | 99a6a9656da926af8aa648d50b47dcfb |
| SHA1 | 81db96003bd8f63250abc7e59fb35e0227d3f28a |
| SHA256 | fdf1f9d0af4ff8e5cbd4387d6849327e91f0eedd1befe58d7dd8b6ec40e90a98 |
| SHA512 | 16e850fdabf76a11ed4176e0fd57dafb64faf9551ea220d003c5a86aff8c39ab40d66f7ac7fcc6ef71cfa7e1d6268bbc23e32aa5cf69df58a5d05f666701f3c0 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\stprinterx.cat
| MD5 | 1d56a3f8d7f5dab184a8cc4feddaa173 |
| SHA1 | 75d291cb96fdc05d54c962f1cb08796ee439b22f |
| SHA256 | 84e1a32b4975e92477cf6a36d8931921da735ef988e0c09a2b056f2904541b1e |
| SHA512 | fb58167a98d9309a703f06d5c6414ab707b37e90a26bfc1c0812b10381c116fa6c7c26ac30fc8570b8f87186775bc64e7af6d409a7d213fc3b4b76b0b7a76fb6 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\stprinter.cat
| MD5 | 2dac6568b843ebdc5c98598ca32918be |
| SHA1 | e7740e4be7f71a82adbb6e5224d33534e237614c |
| SHA256 | eb61a0e06bf8c69597f9bb1909e3eb4f926e49800c3f9721fda3007993da5ee7 |
| SHA512 | 1bc8aa82e68911f5ee1835d19cf49a736c1c35c2f6b4fcd48c3c6fcf7ff6958400d1e815c5e891e172af9035232175bb00e8a21f5a0590f02dc683f45a6c3d8b |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libcrypto-3.dll
| MD5 | 72d867e8c7a84374aa72bf7feca4334e |
| SHA1 | bbe4c42beb19a1f23bfbcfc5a67164d5ea29784e |
| SHA256 | 17d29b81faea714b5a93008711d92d1329b22244a2e9f56736064caa4fd3cd84 |
| SHA512 | b523df6ffe4a51180cdf2bda761b01a521391a6b24e081309c33c91835c19be96015b932d527822f5837802a979a3c48f5cc111892c47c082e8bcb8f2115ac3f |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.init_setting.ini
| MD5 | eb0d8eb4dc6b17d4c1a1a7c9d7f11cd1 |
| SHA1 | 64dcaa8d1dde73f7815cad8aba5aad8a2e2b6a54 |
| SHA256 | 720af1350c6ceaf2c57191e98e68a89cd32da05db2b63fb77036dfe657ccfc99 |
| SHA512 | f6555d5890eb41d8de4c3dd4b8347e123da381229228719aea2f7f7d89c43a301eb3d3fed8361fb3a7580ac88b189875d25d8c097af05bb625088fa88ffbc18e |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.cloudbuild.check
| MD5 | b5e0688b9ef0b96999920bbfa914308f |
| SHA1 | 1915a216e8dc9f2724caaa392e1991ae7cea481d |
| SHA256 | 1c3c30cee8b05a4bc58acd04a4ee1602c16093ca4ff056773c0dca6c57a287a1 |
| SHA512 | 211305625a1c2730ea043a51d3769ee692607075501176b0afe19da351a563fa2b9832ce7fa7e6212312d1e47550d7d45cecdfcd99e7b287d7ddbff707502193 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.cloudbuild.check.rsa
| MD5 | b2bffc494793613698354acfcb792543 |
| SHA1 | a0d94d42a0f8f8872a94df3208a405dfd24717d9 |
| SHA256 | 6a4d4f70cb5f6fdd67f34c4f65562e872724ba7e467f4c7553af0b22f06298cc |
| SHA512 | 1f984266a1c9c6baa356c3e6d44ae9ddc04c97990db232a075c1d88ba31b01a0881d36c62f14775943a2e062d4415cd1bd3e2b0cd75a09162f5bbf49091d3801 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRSocketCtrl.dll
| MD5 | 0abd0b462f8e07c20af3719bc672a71c |
| SHA1 | 9bac3e016617fb3034e7b24080f200acc337ad17 |
| SHA256 | 3aeae10915f253166fb4ebf11993ea7e2bccd2583979870633d8db13b3005b7f |
| SHA512 | 83063c919b8c6816fdac1c2593eb6e998f996ce1487ebf06f51fa5219d127aa966eb3d1d365d1c7a5369d99d042900c60465aa9d6515a7aef06a2bc70c7eed29 |
memory/4140-214-0x0000000073130000-0x000000007322D000-memory.dmp
memory/4140-216-0x0000000072FE0000-0x00000000730FC000-memory.dmp
memory/4140-219-0x0000000072C10000-0x0000000072FD4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.config.json
| MD5 | 3648108659d7e98b1fdbbebc114f62d8 |
| SHA1 | 5b9a1b9ff191652ee1b4d883434635909444cece |
| SHA256 | 48182f1c38a2c6b462db43c1f4010470887b27f21079b4e21f11464d0e3645ad |
| SHA512 | 7ca04d475a1b583abea6d777ae421ae6bc75706903b629bea768290e0b9cc5220c3b7f2be90f1aaafb5106daf68857224afac22a136a53fa73d94488c9e43ba5 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.splashtop.sostheme
| MD5 | 0f250b439a055fa3ac9417889fe330f0 |
| SHA1 | 50ad0d3207203e2c1347b8965b46f2490aa242a7 |
| SHA256 | 148f9a17740a6d4607f8c3ef534a2effe33ccc3a80e1e2d3debf2e9fa98eb38f |
| SHA512 | 7db941fe501686b7f34057e1ab37761a742039a3d192da64e7876031eecb0477cbfd58bd1a6aa75b1b846d278315f8a5896e142e4c4141be1283e62455380ba7 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe
| MD5 | d8e1c8358050a62961004beb6d598ec8 |
| SHA1 | 1c1bc7c986c445d3c9e77b8efac621cb7b2b569c |
| SHA256 | 603193ec2b0e96ec483c8eaa92a517b8f685fb72875d2c5bd7c79fb0e5d7c38c |
| SHA512 | cfbc2dde98458831e83e9dcf3ded621a3e1b26f73bac3a743f71923373429e993b9af2e5e1c8b9602e68741a8dc7f0ddea62add1f1a3d5a12b0269ea8c5d55fd |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
| MD5 | fb8af7753cb2a3583d8e5372e295f04d |
| SHA1 | f232d9b86386399a5cf43a4e3247c22ef18b85c6 |
| SHA256 | bbc7e13444052825b3ae254c0f4e18660df1a954840a68e37eb70a9e37acf461 |
| SHA512 | 8a5e8a2e91f4ab94596fa0f57a5d9b61f9e15b8127e84692eedff9e09ab1bc9d2611bc58fca70635ceb2f4b1bffc2c0f0431f61bfbecadfc0dfca7fda0aa5923 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe
| MD5 | 13b2d865ec33421538e2466300e6cfc2 |
| SHA1 | d850b3621d8354270a548c2e55fc06379d49ea2c |
| SHA256 | 6761e45fa371e19dd77f1ab8cc715a93fa6221031d2b9424cda403728aa41ccb |
| SHA512 | 4bdc9eeb71d61ca3db71797a7d923fe9031ef2404cb3a88d41bdc3b2d80d080088cd49b14de2842d0e0593a52e3a9bb9d72e46268745ea7737de789a5c9edc3c |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\default.ico
| MD5 | 7ea19dbf3cd6307e4f41de8d5a889fc2 |
| SHA1 | 94e2571b2a40f72fe718455faeac22c082d7bd78 |
| SHA256 | 4651be0a065afe6244247caeab505afba5096bd467269a3d2481691c00166e5b |
| SHA512 | dc5be4513331392ea889bb9c9cb4d252de85d86603caff71fdef6c2a3e93750aa1c1c2be1a49171f95e2bc54eab653510ef500bf2aa44a792e42ab86e02dab62 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\swresample-2.dll
| MD5 | 4a2f597c15ad595cfd83f8a34a0ab07a |
| SHA1 | 7f6481be6ddd959adde53251fa7e9283a01f0962 |
| SHA256 | 5e756f0f1164b7519d2269aa85e43b435b5c7b92e65ed84e6051e75502f31804 |
| SHA512 | 0e868ad546a6081de76b4a5cdcc7d457b2f0fb7239dc676c17c46a988a02696b12a9c3a85f627c76e6524f9a3ed25f2d9b8e8764d7e18fc708ead4475591946f |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\avutil-55.dll
| MD5 | a9a9d31764b50858a01b1fb228406f06 |
| SHA1 | 7a313c46f049287045992f54f9d6eda9db568ef8 |
| SHA256 | c0babd7670124bb298d3ba6a8ee5ae33ad1030c08a18d8b8861f5d83003eb645 |
| SHA512 | 164d5497aa91a5b4742a291f589400bc0b189af946615a2f04e6cfd1ed598a542f7521e4dd79aab99414846a3c391255309f911c247ef446a0483d9fab6efdfc |
C:\Users\Admin\AppData\Local\Temp\splashtop\sos\01_sysinfo.txt
| MD5 | 0a72685849a03a0d8a61cb18a19d2244 |
| SHA1 | 188285b5f42be0df12133a1d44a8fa3703f26dd9 |
| SHA256 | b3194317153ad2ac984d87a137c83a3a18300df659b62337dc074cfe5511e5dd |
| SHA512 | 5f102772f8f277086fd097d51a6939846c14a283dfa8c6e7c9f94fa9ade576676e658b3692639993dfb7b7eb4f59385ab2fad31b38745547047821242dbeee66 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe
| MD5 | e6066e9e4aa21333b30fe304ea32d40a |
| SHA1 | 568ae6207f94314590c768d47346231e5118239c |
| SHA256 | 0a0b3845d467f3f9abce841a93dda696fe80cd261242cce863d3c6abd92f01cf |
| SHA512 | fdf2f9a348d0b7f38857b87b8c5d0101a57bb4695c17ad8864f92266522879df2d3e6bfc90b2885b8ecc0dd76e317581232b3711611c6ae340b2260749731598 |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\db\SRAgent.sqlite3
| MD5 | 3e0ffcd7b39421a5fd445efaa3d3fdcc |
| SHA1 | 702017c615b86bcefcda46225ed1539823f11ce8 |
| SHA256 | c6a498ce9fa94f2bce7c05557278da1b5ef5b0015ee73c27454f6f40c75ed262 |
| SHA512 | 06e6f52bc8fd23e09033a02450581850ae20c67cc8b128614eccb5d7f4b72bf46d3f7b54cf2fcccdea14f5747ac80408d5ff34d4eca3d8546df2fe250f34af40 |
C:\Windows\Temp\bd2_request_1559b2ee40ac030.bat
| MD5 | 6882f381acb6d2eeb7f7e16923ae467e |
| SHA1 | 6fce3269da4976ccdbaadc8abff872fc79870bf3 |
| SHA256 | 5b7d39e48aa33135b391697a5cd1e10c4536f2a05b11fac6ae50809d64924b00 |
| SHA512 | 6322eb0e158f7bb843777bef5de1d6fff32ef7e2116a2ef9a2c343b74c52de3e88ab66ca0fdccf6b9400b689d0b786d5e5c1b0ff31c5b0dd1a85a891d7f1572b |
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\fips.dll
| MD5 | 68d8d459ee6a5027ffe35302b21d66fa |
| SHA1 | 91299e1ff75b293a18105fbdfcb2cde92a6c8507 |
| SHA256 | 0ef5739fcc3850411e1db6af2e194e25c7e473bb950a387a7c851fe02660b4e8 |
| SHA512 | c032e6c057da58374ff51b50b2146e4b27eb6a18a452668eb2c78e3f4e729399f303873a2dc40f5910826a4f23146dfb851b62df3d5948a9039ec6ed23e53b32 |
memory/4140-314-0x0000000071B60000-0x0000000071D24000-memory.dmp
memory/4140-313-0x0000000073130000-0x000000007322D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\fips.cnf
| MD5 | e077993e994d28bbc7502681280c5551 |
| SHA1 | 9c3b360f9e81ccf8c8b56be25e4ce9d67d1f61b4 |
| SHA256 | b8d539255fb1ea42ee3b06f0e314b037e35701e2b258272889d866dd3419526b |
| SHA512 | b2fed3539bd94999f9f9a2cfebac6a3632212c10f3d97a5129e444fc548d1685877d0810790b71d342a4ef9080d1efc73bf7a9493b5ccbd93232231ee2251abe |
memory/4140-316-0x0000000072FE0000-0x00000000730FC000-memory.dmp
memory/4140-317-0x0000000072C10000-0x0000000072FD4000-memory.dmp
memory/2040-318-0x0000000002CD0000-0x0000000002D06000-memory.dmp
memory/2040-319-0x00000000054B0000-0x0000000005AD8000-memory.dmp
memory/2040-320-0x00000000052E0000-0x0000000005302000-memory.dmp
memory/2040-321-0x0000000005BD0000-0x0000000005C36000-memory.dmp
memory/2040-322-0x0000000005CB0000-0x0000000005D16000-memory.dmp
C:\Windows\Temp\__PSScriptPolicyTest_mgli51fr.zwd.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4140-332-0x0000000073130000-0x000000007322D000-memory.dmp
memory/4140-335-0x0000000071B60000-0x0000000071D24000-memory.dmp
memory/4140-333-0x0000000072FE0000-0x00000000730FC000-memory.dmp
memory/2040-336-0x0000000005E20000-0x0000000006174000-memory.dmp
memory/2040-337-0x00000000062A0000-0x00000000062BE000-memory.dmp
memory/4140-334-0x0000000072C10000-0x0000000072FD4000-memory.dmp
memory/2040-338-0x00000000062E0000-0x000000000632C000-memory.dmp
memory/4552-339-0x0000000073130000-0x000000007322D000-memory.dmp
memory/2040-340-0x00000000079F0000-0x000000000806A000-memory.dmp
memory/2040-341-0x00000000067D0000-0x00000000067EA000-memory.dmp
memory/4552-342-0x0000000072FE0000-0x00000000730FC000-memory.dmp
memory/4552-346-0x0000000072C10000-0x0000000072FD4000-memory.dmp
memory/2040-358-0x0000000007290000-0x00000000072A8000-memory.dmp
memory/2040-359-0x0000000008070000-0x0000000008232000-memory.dmp
memory/2040-360-0x000000000A3E0000-0x000000000A90C000-memory.dmp