golddragon | dbd9cfa3d9b4e482ee79e7726e95168a5e27bb0482a0e4744a1e1c56d75f1c32

Analysis

max time kernel
300s
max time network
304s
platform
windows7_x64
resource
win7-en-20211014
submitted
09-11-2021 10:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebook.exe.org.exe
Size

28.2MB
MD5

07f79b595254bd60ccec7561e858de35
SHA1

6199b33c52351cdc5d6cd1b61bb9f3602c9eb799
SHA256

dbd9cfa3d9b4e482ee79e7726e95168a5e27bb0482a0e4744a1e1c56d75f1c32
SHA512

6ca0a66adebe69b10e2c79f75441f264e8481d481731ba3bde0ee522f64761558fc74739a1a43b411708d0c6169a92167febd490a0cd96693236de29fc37362b

Score

10^/10

golddragon backdoor discovery

Malware Config

Signatures

GoldDragon
GoldDragon is a second-stage backdoor attributed to Kimsuky.
backdoor golddragon
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

ebook.exe.org.tmpebookreader.exeebook_reader_setup.exeebook_reader_setup.tmpebookreader.exe

pid process

1416 ebook.exe.org.tmp
1424 ebookreader.exe
1008 ebook_reader_setup.exe
1012 ebook_reader_setup.tmp
480 ebookreader.exe

pid	process
1416	ebook.exe.org.tmp
1424	ebookreader.exe
1008	ebook_reader_setup.exe
1012	ebook_reader_setup.tmp
480	ebookreader.exe

Loads dropped DLL 64 IoCs

Processes:

ebook.exe.org.exeebook.exe.org.tmpebookreader.exeebook_reader_setup.exeebook_reader_setup.tmpebookreader.exe

pid	process
1420	ebook.exe.org.exe
1416	ebook.exe.org.tmp
1416	ebook.exe.org.tmp
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1008	ebook_reader_setup.exe
1012	ebook_reader_setup.tmp
1012	ebook_reader_setup.tmp
1012	ebook_reader_setup.tmp
1012	ebook_reader_setup.tmp
480	ebookreader.exe
480	ebookreader.exe
480	ebookreader.exe
480	ebookreader.exe
480	ebookreader.exe
480	ebookreader.exe
480	ebookreader.exe
480	ebookreader.exe
480	ebookreader.exe
480	ebookreader.exe
480	ebookreader.exe
480	ebookreader.exe
480	ebookreader.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

ebook_reader_setup.tmpebook.exe.org.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\Qt5Qml.dll	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-89EK6.tmp	ebook_reader_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\imageformats\qwbmp.dll	ebook.exe.org.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\Qt5Sensors.dll	ebook.exe.org.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\D3Dcompiler_47.dll	ebook.exe.org.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-EA2D9.tmp	ebook.exe.org.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\Qt5WebKit.dll	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-BSVDJ.tmp	ebook_reader_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\imageformats\qdds.dll	ebook.exe.org.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\Qt5Network.dll	ebook.exe.org.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-J3NE5.tmp	ebook.exe.org.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-2GPDC.tmp	ebook.exe.org.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-72AKG.tmp	ebook.exe.org.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\imageformats\is-47FMV.tmp	ebook.exe.org.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-BOV8S.tmp	ebook.exe.org.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-0MOKN.tmp	ebook.exe.org.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-DST14.tmp	ebook.exe.org.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-U7P0V.tmp	ebook.exe.org.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-B45C3.tmp	ebook.exe.org.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-QDPUQ.tmp	ebook.exe.org.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-I7JV2.tmp	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-TNUV3.tmp	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-VS3S8.tmp	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-1H0HN.tmp	ebook.exe.org.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-A2VLE.tmp	ebook.exe.org.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\Qt5MultimediaWidgets.dll	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-C412P.tmp	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-4P4LG.tmp	ebook_reader_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\Qt5SerialPort.dll	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-U0NP7.tmp	ebook_reader_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\imageformats\qtiff.dll	ebook.exe.org.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-SKT08.tmp	ebook.exe.org.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-S1O9A.tmp	ebook.exe.org.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\imageformats\is-9OGGF.tmp	ebook.exe.org.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-JV41T.tmp	ebook.exe.org.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\imageformats\qicns.dll	ebook.exe.org.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\quazip.dll	ebook_reader_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\Qt5Network.dll	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-O5K1J.tmp	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-EORJP.tmp	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-DT8SE.tmp	ebook_reader_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\Qt5Gui.dll	ebook.exe.org.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\ebookreader.exe	ebook.exe.org.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-356VN.tmp	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\imageformats\is-G5BFL.tmp	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-DK3G3.tmp	ebook_reader_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\sqldrivers\qsqlite.dll	ebook.exe.org.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\Qt5PrintSupport.dll	ebook.exe.org.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\vcomp100.dll	ebook_reader_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\Qt5OpenGL.dll	ebook.exe.org.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-NPTTR.tmp	ebook.exe.org.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-KVUGQ.tmp	ebook.exe.org.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-KFK48.tmp	ebook.exe.org.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\unins000.msg	ebook.exe.org.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-2GDQK.tmp	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-QR0PM.tmp	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-9DD9Q.tmp	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\imageformats\is-CS18D.tmp	ebook.exe.org.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-KCEPK.tmp	ebook.exe.org.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\imageformats\qdds.dll	ebook_reader_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\Qt5Widgets.dll	ebook_reader_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Ebook Reader\sqldrivers\qsqlite.dll	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\is-ENEJU.tmp	ebook_reader_setup.tmp
File created	C:\Program Files (x86)\Icecream Ebook Reader\translations\is-H5FDD.tmp	ebook_reader_setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 4056a3e65fd5d701	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003d000000900300001d020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DOMStorage\icecreamapps.com	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{02F025D1-4153-11EC-A1A5-C2A3A902DBDF} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DOMStorage\icecreamapps.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c09b99dd5fd5d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1C805E21-4153-11EC-A1A5-C2A3A902DBDF} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005bf5749d3a275447873d564a46cb193600000000020000000000106600000001000020000000824026bc5069a8e0183368ec21c428283501622a8d68e959fd6f7df2ab01f9db000000000e8000000002000020000000054456ecdeb486ca83c539c61215ef19e95c93cbb5ea491ef7538fe24bc391bc9000000021629dfc313ddc5952a19f0ca023fe69701e9d31d0da3b4305a746fac91281d72369306baf0adaecc6c3779451ef165f966e36bb045dfaa55da768d46ed63250bf09896ddcb0df5e18ca26194f2be0ed1e7f18ed40de4cc6a4240e320259aacbd98e533ae7c0441339a9545e97cb69f4f7378a77114cfd192510c5682559932fb7a5e3351c74bbdb6c74fafe5785a0aa40000000b58aff9225aa28710e66e4067af814ea361ecd6738f0929619b61e43fb60b0fe006ca331b92216fcf4629d53a489bd6d625f22574595f8446b91443a052820a9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005bf5749d3a275447873d564a46cb19360000000002000000000010660000000100002000000092d3c6ac048796ba6d3fc322ade9e9269555c0d6d578675b45ad6f38635c8114000000000e80000000020000200000007fdfa884c667a0d704aa8894b31178fa95e4e27a44c5dd71d6acbf0f2487bac020000000c242438f17cbd53098f0ebc4707eaa3368e16421f55779da88ec3d1e6e7ee815400000009ee09f8ba0a24e095b5d5dbc96d19475d45040ce0e25afa6dfb36747e459e391fc1bc8d052c3064c5cf42fda45784f743edf78ea2c899d307b45e080aef94ba0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Modifies registry class 64 IoCs

Processes:

ebook_reader_setup.tmpebook.exe.org.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cbz	ebook_reader_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\EPUB\DefaultIcon	ebook_reader_setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\EPUB\DefaultIcon\ = "C:\\Program Files (x86)\\Icecream Ebook Reader\\epub.ico"	ebook_reader_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\MOBI\shell\open\command	ebook_reader_setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\FB2\shell\open\command\ = "\"C:\\Program Files (x86)\\Icecream Ebook Reader\\ebookreader.exe\" \"%1\""	ebook_reader_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.fb2	ebook.exe.org.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\FB2\shell\open\command\ = "\"C:\\Program Files (x86)\\Icecream Ebook Reader\\ebookreader.exe\" \"%1\""	ebook.exe.org.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\CBZ\DefaultIcon	ebook.exe.org.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader	ebook.exe.org.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\MOBI	ebook.exe.org.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\FB2\DefaultIcon	ebook.exe.org.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\FB2\shell\open\command	ebook.exe.org.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.epub	ebook_reader_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mobi	ebook.exe.org.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mobi\ = "IcecreamEbookReader\\MOBI"	ebook.exe.org.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cbz\ = "IcecreamEbookReader\\CBZ"	ebook.exe.org.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cbr\ = "IcecreamEbookReader\\CBR"	ebook_reader_setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\CBR\DefaultIcon\ = "C:\\Program Files (x86)\\Icecream Ebook Reader\\cbr.ico"	ebook_reader_setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\EPUB\DefaultIcon\ = "C:\\Program Files (x86)\\Icecream Ebook Reader\\epub.ico"	ebook.exe.org.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\EPUB\shell\open\command\ = "\"C:\\Program Files (x86)\\Icecream Ebook Reader\\ebookreader.exe\" \"%1\""	ebook.exe.org.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.epub\ = "IcecreamEbookReader\\EPUB"	ebook_reader_setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.fb2\ = "IcecreamEbookReader\\FB2"	ebook_reader_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\CBZ\DefaultIcon	ebook_reader_setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\CBZ\shell\open\command\ = "\"C:\\Program Files (x86)\\Icecream Ebook Reader\\ebookreader.exe\" \"%1\""	ebook_reader_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\CBR\shell	ebook.exe.org.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mobi\ = "IcecreamEbookReader\\MOBI"	ebook_reader_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.fb2	ebook_reader_setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\CBZ\DefaultIcon\ = "C:\\Program Files (x86)\\Icecream Ebook Reader\\cbz.ico"	ebook.exe.org.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\CBZ\shell\open\command\ = "\"C:\\Program Files (x86)\\Icecream Ebook Reader\\ebookreader.exe\" \"%1\""	ebook.exe.org.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cbr\ = "IcecreamEbookReader\\CBR"	ebook.exe.org.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\CBZ\shell\open\command	ebook_reader_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\MOBI\DefaultIcon	ebook.exe.org.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\CBR	ebook.exe.org.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\CBR\shell\open\command	ebook.exe.org.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\CBZ\DefaultIcon\ = "C:\\Program Files (x86)\\Icecream Ebook Reader\\cbz.ico"	ebook_reader_setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.epub\ = "IcecreamEbookReader\\EPUB"	ebook.exe.org.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\MOBI\shell	ebook.exe.org.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\MOBI\shell\open\command\ = "\"C:\\Program Files (x86)\\Icecream Ebook Reader\\ebookreader.exe\" \"%1\""	ebook.exe.org.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\FB2\shell\open\command	ebook_reader_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\CBR\DefaultIcon	ebook_reader_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\FB2\shell	ebook.exe.org.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\MOBI\DefaultIcon\ = "C:\\Program Files (x86)\\Icecream Ebook Reader\\mobi.ico"	ebook_reader_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\FB2\DefaultIcon	ebook_reader_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cbr	ebook.exe.org.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\CBR\shell\open	ebook.exe.org.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\CBR\shell\open\command\ = "\"C:\\Program Files (x86)\\Icecream Ebook Reader\\ebookreader.exe\" \"%1\""	ebook_reader_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\EPUB\shell\open\command	ebook_reader_setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\FB2\DefaultIcon\ = "C:\\Program Files (x86)\\Icecream Ebook Reader\\fb2.ico"	ebook_reader_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cbz	ebook.exe.org.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\FB2\shell\open	ebook.exe.org.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\CBR\DefaultIcon	ebook.exe.org.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\MOBI\shell\open	ebook.exe.org.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\CBR\DefaultIcon\ = "C:\\Program Files (x86)\\Icecream Ebook Reader\\cbr.ico"	ebook.exe.org.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\EPUB\shell\open\command\ = "\"C:\\Program Files (x86)\\Icecream Ebook Reader\\ebookreader.exe\" \"%1\""	ebook_reader_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\EPUB\shell\open\command	ebook.exe.org.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\EPUB\shell	ebook.exe.org.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\MOBI\DefaultIcon\ = "C:\\Program Files (x86)\\Icecream Ebook Reader\\mobi.ico"	ebook.exe.org.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\CBZ\shell\open	ebook.exe.org.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cbz\ = "IcecreamEbookReader\\CBZ"	ebook_reader_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\FB2	ebook.exe.org.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\FB2\DefaultIcon\ = "C:\\Program Files (x86)\\Icecream Ebook Reader\\fb2.ico"	ebook.exe.org.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\CBZ\shell\open\command	ebook.exe.org.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\MOBI\DefaultIcon	ebook_reader_setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IcecreamEbookReader\MOBI\shell\open\command\ = "\"C:\\Program Files (x86)\\Icecream Ebook Reader\\ebookreader.exe\" \"%1\""	ebook_reader_setup.tmp

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

ebookreader.exeebookreader.exe

pid process

1424 ebookreader.exe
480 ebookreader.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

ebook.exe.org.tmpebook_reader_setup.tmp

pid process

1416 ebook.exe.org.tmp
1416 ebook.exe.org.tmp
1012 ebook_reader_setup.tmp
1012 ebook_reader_setup.tmp
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

ebookreader.exeebookreader.exe

pid process

1424 ebookreader.exe
480 ebookreader.exe
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

ebook.exe.org.tmpiexplore.exeiexplore.exeebook_reader_setup.tmp

pid process

1416 ebook.exe.org.tmp
964 iexplore.exe
1488 iexplore.exe
1488 iexplore.exe
1012 ebook_reader_setup.tmp
1488 iexplore.exe

pid	process
1424	ebookreader.exe
480	ebookreader.exe

pid	process
1416	ebook.exe.org.tmp
1416	ebook.exe.org.tmp
1012	ebook_reader_setup.tmp
1012	ebook_reader_setup.tmp

pid	process
1424	ebookreader.exe
480	ebookreader.exe

pid	process
1416	ebook.exe.org.tmp
964	iexplore.exe
1488	iexplore.exe
1488	iexplore.exe
1012	ebook_reader_setup.tmp
1488	iexplore.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

iexplore.exeIEXPLORE.EXEebookreader.exeiexplore.exeIEXPLORE.EXEebookreader.exe

pid	process
964	iexplore.exe
964	iexplore.exe
1868	IEXPLORE.EXE
1868	IEXPLORE.EXE
1868	IEXPLORE.EXE
1868	IEXPLORE.EXE
1424	ebookreader.exe
1424	ebookreader.exe
1424	ebookreader.exe
1488	iexplore.exe
1488	iexplore.exe
796	IEXPLORE.EXE
796	IEXPLORE.EXE
1488	iexplore.exe
1488	iexplore.exe
796	IEXPLORE.EXE
796	IEXPLORE.EXE
480	ebookreader.exe
480	ebookreader.exe
480	ebookreader.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

ebook.exe.org.exeebook.exe.org.tmpiexplore.exeebookreader.exeiexplore.exeebook_reader_setup.exeebook_reader_setup.tmp

description	pid	process	target process
PID 1420 wrote to memory of 1416	1420	ebook.exe.org.exe	ebook.exe.org.tmp
PID 1420 wrote to memory of 1416	1420	ebook.exe.org.exe	ebook.exe.org.tmp
PID 1420 wrote to memory of 1416	1420	ebook.exe.org.exe	ebook.exe.org.tmp
PID 1420 wrote to memory of 1416	1420	ebook.exe.org.exe	ebook.exe.org.tmp
PID 1420 wrote to memory of 1416	1420	ebook.exe.org.exe	ebook.exe.org.tmp
PID 1420 wrote to memory of 1416	1420	ebook.exe.org.exe	ebook.exe.org.tmp
PID 1420 wrote to memory of 1416	1420	ebook.exe.org.exe	ebook.exe.org.tmp
PID 1416 wrote to memory of 964	1416	ebook.exe.org.tmp	iexplore.exe
PID 1416 wrote to memory of 964	1416	ebook.exe.org.tmp	iexplore.exe
PID 1416 wrote to memory of 964	1416	ebook.exe.org.tmp	iexplore.exe
PID 1416 wrote to memory of 964	1416	ebook.exe.org.tmp	iexplore.exe
PID 964 wrote to memory of 1868	964	iexplore.exe	IEXPLORE.EXE
PID 964 wrote to memory of 1868	964	iexplore.exe	IEXPLORE.EXE
PID 964 wrote to memory of 1868	964	iexplore.exe	IEXPLORE.EXE
PID 964 wrote to memory of 1868	964	iexplore.exe	IEXPLORE.EXE
PID 1416 wrote to memory of 1424	1416	ebook.exe.org.tmp	ebookreader.exe
PID 1416 wrote to memory of 1424	1416	ebook.exe.org.tmp	ebookreader.exe
PID 1416 wrote to memory of 1424	1416	ebook.exe.org.tmp	ebookreader.exe
PID 1416 wrote to memory of 1424	1416	ebook.exe.org.tmp	ebookreader.exe
PID 1424 wrote to memory of 1488	1424	ebookreader.exe	iexplore.exe
PID 1424 wrote to memory of 1488	1424	ebookreader.exe	iexplore.exe
PID 1424 wrote to memory of 1488	1424	ebookreader.exe	iexplore.exe
PID 1424 wrote to memory of 1488	1424	ebookreader.exe	iexplore.exe
PID 1488 wrote to memory of 796	1488	iexplore.exe	IEXPLORE.EXE
PID 1488 wrote to memory of 796	1488	iexplore.exe	IEXPLORE.EXE
PID 1488 wrote to memory of 796	1488	iexplore.exe	IEXPLORE.EXE
PID 1488 wrote to memory of 796	1488	iexplore.exe	IEXPLORE.EXE
PID 1488 wrote to memory of 1008	1488	iexplore.exe	ebook_reader_setup.exe
PID 1488 wrote to memory of 1008	1488	iexplore.exe	ebook_reader_setup.exe
PID 1488 wrote to memory of 1008	1488	iexplore.exe	ebook_reader_setup.exe
PID 1488 wrote to memory of 1008	1488	iexplore.exe	ebook_reader_setup.exe
PID 1488 wrote to memory of 1008	1488	iexplore.exe	ebook_reader_setup.exe
PID 1488 wrote to memory of 1008	1488	iexplore.exe	ebook_reader_setup.exe
PID 1488 wrote to memory of 1008	1488	iexplore.exe	ebook_reader_setup.exe
PID 1008 wrote to memory of 1012	1008	ebook_reader_setup.exe	ebook_reader_setup.tmp
PID 1008 wrote to memory of 1012	1008	ebook_reader_setup.exe	ebook_reader_setup.tmp
PID 1008 wrote to memory of 1012	1008	ebook_reader_setup.exe	ebook_reader_setup.tmp
PID 1008 wrote to memory of 1012	1008	ebook_reader_setup.exe	ebook_reader_setup.tmp
PID 1008 wrote to memory of 1012	1008	ebook_reader_setup.exe	ebook_reader_setup.tmp
PID 1008 wrote to memory of 1012	1008	ebook_reader_setup.exe	ebook_reader_setup.tmp
PID 1008 wrote to memory of 1012	1008	ebook_reader_setup.exe	ebook_reader_setup.tmp
PID 1012 wrote to memory of 1700	1012	ebook_reader_setup.tmp	iexplore.exe
PID 1012 wrote to memory of 1700	1012	ebook_reader_setup.tmp	iexplore.exe
PID 1012 wrote to memory of 1700	1012	ebook_reader_setup.tmp	iexplore.exe
PID 1012 wrote to memory of 1700	1012	ebook_reader_setup.tmp	iexplore.exe
PID 1012 wrote to memory of 480	1012	ebook_reader_setup.tmp	ebookreader.exe
PID 1012 wrote to memory of 480	1012	ebook_reader_setup.tmp	ebookreader.exe
PID 1012 wrote to memory of 480	1012	ebook_reader_setup.tmp	ebookreader.exe
PID 1012 wrote to memory of 480	1012	ebook_reader_setup.tmp	ebookreader.exe

C:\Users\Admin\AppData\Local\Temp\ebook.exe.org.exe
"C:\Users\Admin\AppData\Local\Temp\ebook.exe.org.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Users\Admin\AppData\Local\Temp\is-FT0QC.tmp\ebook.exe.org.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-FT0QC.tmp\ebook.exe.org.tmp" /SL5="$400EA,28982256,486912,C:\Users\Admin\AppData\Local\Temp\ebook.exe.org.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://icecreamapps.com/Ebook-Reader/thankyou.html?v=5.21
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:964
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:964 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1868
- - C:\Program Files (x86)\Icecream Ebook Reader\ebookreader.exe
    "C:\Program Files (x86)\Icecream Ebook Reader\ebookreader.exe" -inst
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1424
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://icecreamapps.com/Download-Ebook-Reader/
      4⤵
      Modifies Internet Explorer Phishing Filter
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1488
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1488 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:796
    - - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PBXRT4TL\ebook_reader_setup.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PBXRT4TL\ebook_reader_setup.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1008
      - C:\Users\Admin\AppData\Local\Temp\is-O3LR2.tmp\ebook_reader_setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-O3LR2.tmp\ebook_reader_setup.tmp" /SL5="$30172,28964596,486912,C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PBXRT4TL\ebook_reader_setup.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://icecreamapps.com/Ebook-Reader/thankyou.html?v=5.30
        7⤵
        
        PID:1700
        
        C:\Program Files (x86)\Icecream Ebook Reader\ebookreader.exe
        
        "C:\Program Files (x86)\Icecream Ebook Reader\ebookreader.exe" -inst
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Icecream Ebook Reader\CrashRpt1403.dll

MD5
a5e2253b874629df2831ff197fc789bb

SHA1
8c10efb17f6c8981d4b30b5da1cc7c6282b05f55

SHA256
f1b54decbadced4fea024dc8198454c461e7f5015def627a0556b446137d91a4

SHA512
e43b375e4d9749d06703c5d61d838ef7557cbe58b5b2f2aee2c5da8c91a134f733ccfdac68291bb0835a5b32396adc6d715fd17f21d75c75f9b1b9757e7ebeeb

Download Submit
C:\Program Files (x86)\Icecream Ebook Reader\MSVCP120.dll

MD5
fd5cabbe52272bd76007b68186ebaf00

SHA1
efd1e306c1092c17f6944cc6bf9a1bfad4d14613

SHA256
87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608

SHA512
1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5

Download Submit
C:\Program Files (x86)\Icecream Ebook Reader\MSVCR100.dll

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Program Files (x86)\Icecream Ebook Reader\MSVCR120.dll

MD5
034ccadc1c073e4216e9466b720f9849

SHA1
f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1

SHA256
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f

SHA512
5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

Download Submit
C:\Program Files (x86)\Icecream Ebook Reader\Qt5Core.dll

MD5
f032e9f7231e47f88a5106d67582e136

SHA1
01dd06108020ec510898c38c8a7b2bbf7cf05c60

SHA256
6426b33f7c9b48d151159c5fd3e90e8a5aae809bea2a5f467c307812e8678ae9

SHA512
8e21e6cb24c471e65867f45fe95cc6e1143dacd5231fe1d230efd51b4d9c1ac02d8e20e9fd090561b06c13c12e3f6c7634206d626d8a9891f3f9c844b6bf42f1

Download Submit
C:\Program Files (x86)\Icecream Ebook Reader\Qt5Gui.dll

MD5
e84f81941b35e8d553f9ebc59daccdb5

SHA1
8a8e4f923ff9caaa8f2c78d66ce7f5de42aba514

SHA256
af830d6ea25bb708b52fcb13ee15ac6ba8f7b331d5ca8a842022307f937ab9ef

SHA512
c3dab550f4319b6cea1363534f9c2b9e5ee6717faddf3355c182ce519d4f51221760a46cc2f7aeb73ef0fa46b78cd2997fe506861e19af1704759f63e81ba586

Download Submit
C:\Program Files (x86)\Icecream Ebook Reader\Qt5Multimedia.dll

MD5
d9fef00d64605c4c43027b1ad6c16830

SHA1
7214d3a2173c6bf9fb7ce702bd37a345302d9c82

SHA256
537ebc0fc1d7400f729c4b2eaefc47e56b7499e912b6e49faf9c871dfca2d355

SHA512
95d63fa31888ca253a3a84bcff093eca2ad33eb49517cb531668718ca3611a9b38760a1946ce553b601daacab4c0bb33d0ac34aea1853ebcfe878be23d6b6956

Download Submit
C:\Program Files (x86)\Icecream Ebook Reader\Qt5MultimediaWidgets.dll

MD5
eea69ada2fdac097a7ece621a55b0427

SHA1
cc2b7c927856eb8136d201ddfa84b07d16a6eb58

SHA256
91a37022efae3062c5ee8c4aaca35f3b09816993aac95b28515e7495758f724a

SHA512
428286c404e9ba7e1637bf9afaa20ed9688ed5210f8f06873ed033a2c1ec122302391cd1193e3dbaae98d9b39a199a69f93e9aacb56f4a89276a4c6311a7fbae

Download Submit
C:\Program Files (x86)\Icecream Ebook Reader\Qt5Network.dll

MD5
620c06ab969b612f15a69727858bb8c9

SHA1
b71d3aa10c5678a1272423cefa521be4553fcf06

SHA256
a0e0d788b3b00605ce631b7a65b431547108047e129d82af8bb4276f92323417

SHA512
a89268346c8becca6af723b91f91a00d74fb2e3be3a0cac5f011313adb3c4138a473586a15978a470bc8c665573fa6d71a72f1688712da0a63a8b3481057778f

Download Submit
C:\Program Files (x86)\Icecream Ebook Reader\Qt5OpenGL.dll

MD5
6eb03665fbef3a256b38455c33fde1ca

SHA1
cf38aa9142a8ed5f3b94d815ac856e551025876a

SHA256
27e0562371659f67f92a555fa63081e916f90cd005c409e15388ef322d24690d

SHA512
2b9ecf52b08906661b28f519aa9a269d2621ff1783c2e61f06ec51d3b7ddc9831550bc849d9a6fb457209c1fc081ba82559e96c3e6df99ca77ea26e81bf7c3c7

Download Submit
C:\Program Files (x86)\Icecream Ebook Reader\Qt5Positioning.dll

MD5
d9e78dc77a3588875d1e4e9ccfa325c8

SHA1
4c91a20c549ecfe570dba13d5682d92db2d263ca

SHA256
9c03cbb355cc72a2fefcfe7a93c3649255f9b244643cee8b4540977d6f5cea39

SHA512
679f65edf74fbc8588d91d9332793fad3c4c766e66cc0f08ceef4cb4a02bebba355aef20087f02fe68ea2d647fcb75d080870fce343f3f2c7df485d11388b221

Download Submit
C:\Program Files (x86)\Icecream Ebook Reader\Qt5PrintSupport.dll

MD5
36d1f5e2b7394b3f4f36f5c436aebc67

SHA1
444ca408ff553679d88372b2d84ff612f0b7bb64

SHA256
e801c4afb2461089af182abd7c76872e2ffca35d7b5cde9fb5b18fe2432f2f65

SHA512
b44295e887d4c6a11a8199f0bc33689f85a99e7d3e4895d10ea7eb18d1e8c128448f5b0353615b937e1a11687ef19e4d6c837d7a73f567236cd3a7ac784bec71

Download Submit
C:\Program Files (x86)\Icecream Ebook Reader\Qt5Qml.dll

MD5
020e672f6eba759a9be4fe8aaed4dcd0

SHA1
05dd191ba1661d736c0e299098979c253cf986f8

SHA256
806fc0ead90df419f83607081937a86dbdd8294a2e66466cfe71d30d5830b1f0

SHA512
deacd9f1da17e2f12d3a2afa187a85a97454beb90f0212d2f1765acbbc7b5d6228d565b064c1498b375d5b60c7dcf1a2068c2264d6db7568870b0c2d3ce01ecd

Download Submit
C:\Program Files (x86)\Icecream Ebook Reader\Qt5Quick.dll

MD5
7ce631a9f912db8bbd076007bed68462

SHA1
c4a072f2aac230d32e4f9208b89190e9cf64ba25

SHA256
df39e14fa700dfa802a6945a431a8653e3e9b6729e0c9d1f356279633cc777c6

SHA512
ac5eca144c693a02724aa40e5536e0578a2d71776067f1ed83a73e7b143d7aa7bd6be232b93a3d436d4e95428ba768751be6eaf584105c66e3d3b0a1e57dba71

Download Submit
C:\Program Files (x86)\Icecream Ebook Reader\Qt5Sensors.dll

MD5
126e44522b6be9bf43700977dd30f8e3

SHA1
13347a2b7a15a87e971a92fb45d23c72200b3c74

SHA256
356203b3048d3514bec1545b2af0825713f5abba338d4ca697fc36e704c584d8

SHA512
6d047da0a9c915a79d07ba53444cb2abd8bf32ed6d81953005ab33518897eedad5a5a55fe5528dd67600f30f7136cabedf4f7edcdb64b125fcb2af4ba33792da

Download Submit
C:\Program Files (x86)\Icecream Ebook Reader\Qt5Sql.dll

MD5
e340fb3a9887ecf6cde6de8647d00ead

SHA1
bb41da73c5e44d32de21a4d0bfa8e512ea740c75

SHA256
ae27114e0bcbcbc2fd015f34fb0db4db149ca6d413edbb3722aa7f05a7fc7119

SHA512
4fc886e72f7699767a905d0db845ad174423ebe61eb603c106e3c297851ff0d8b6d0b15a397bd958b7b4ad4ae5e406d9a38094f0ba59173f516fc437be68a5d8

Download Submit
C:\Program Files (x86)\Icecream Ebook Reader\Qt5WebChannel.dll

MD5
5328b2a2ae291f2dabbd196fcef06790

SHA1
17cdfbbc4cf03fe7710a9985e8e9e9837049ddb2

SHA256
e1ae6310862bd88822dee201c5da0bb79237ae192339ef602c97e76af7a95b1f

SHA512
da326a0adaa1a6a83ab27a0e4d73330e7fb20e159123ae77f7a0ca848ded1939c1cfe2aeabd21573a3455d65eca7692557c2d808bf1f00e92c6edeab400ce55a

Download Submit
C:\Program Files (x86)\Icecream Ebook Reader\Qt5WebKit.dll

MD5
b8acdcc03cde521dfa08ef081bdbfbdb

SHA1
ccbc713e007bddd21d4f36c5f10e0a3e8dd83f8f

SHA256
32a12b3368cee4bceeae263947cff17424607c8f6a318a76a0e5530894bc6eb9

SHA512
130a5e9d1f22e7e7d3ed4613b9f2862181c2b3bae486cc023b24ceeacf8bc824afe8d7d95a58cba28e68df0a3d7a8a904b82f2279240a89f83fbf4c9211072a1

Download Submit
C:\Program Files (x86)\Icecream Ebook Reader\Qt5WebKitWidgets.dll

MD5
ea78a77f41a87282c89b0f2a40b9c42f

SHA1
6cdfe1bdc9a3f6e17ddb58709bff6dc7cb082b31

SHA256
25b48dbc50d12ef3d14a9e92d2a8384b68aa4d031415f3e8d1e28b3db3b198cf

SHA512
a8701e7926f1ef0315882e36c85525832fd5d29bf30801c72ee5099b9df94a8648a85aef2099eb6e36decd826851f214d3267def92b92069700255e076d8d35e

Download Submit
C:\Program Files (x86)\Icecream Ebook Reader\Qt5Widgets.dll

MD5
462946fc769e02a9a373c1ce84e7daf9

SHA1
c73c0ea32300123780d8c43c58240d14e9e0b3c3

SHA256
e6170d8a69164898453388e165efb688d4c769cdeee6b99cdad2b142d8b20d26

SHA512
b722117ec8bc8b7aa1ba8e3bd538a3a4c322c0b4e4160d8da42616e4160940f19cc27212caed913e8a595d8b788f27fb0e90e86bc3d6be1e695d974b059d62b2

Download Submit
C:\Program Files (x86)\Icecream Ebook Reader\Qt5Xml.dll

MD5
9d9e18eb1ea75fa7bc9a6197455f728e

SHA1
c4128cc54f099f2f5a32d2f6b7dc11d688abeac8

SHA256
91351ea2645ab618a69d86e0d64302b47f63288340fbb1c1d6754a2ef1b03b9b

SHA512
5485693208c630483a2926222031b6fdae966869392a6a3c1d752a57c40b7df938f5df7928c9e5f48d2bb7ae13f254bece53081f66f57265605558d70d288f4f

Download Submit
C:\Program Files (x86)\Icecream Ebook Reader\ebookreader.exe

MD5
c837214f0411d8c5a01b822ffc83c70c

SHA1
6b6d9073ac83a6214ec1b23ccb015385c7a728a5

SHA256
1a07fe5eebda497f39e6bfd3e60fae6cf6056387fc4a71a4fe895b165dd919ba

SHA512
eab1b509485eb330a7b77ba5306b87dbdc3e4c477e2396d6eff323c4eca4f94f9e3d1f4f56e76928bbcd6319c8d79232487c6c032bbd08340e400352c7aa9bc1

Download Submit
C:\Program Files (x86)\Icecream Ebook Reader\icudt54.dll

MD5
ca0e74958884e456b68d03dc20d4a3d5

SHA1
9aa28265d471596a365c678f95acede8fe3a0975

SHA256
5bf6f21732cfbba2b0aa041d4c35a360ae820c39abd71578ef0611af3cf9a556

SHA512
78d6c6ca78832f630022f523354e473cc92a1cd522a6644ad82cd6d633bf73a201980e993487a267d6fc96b02599fc861b2e4b1433ae013b37e32786a0ef16e0

Download Submit
C:\Program Files (x86)\Icecream Ebook Reader\icuin54.dll

MD5
89a5cd795698c6a3b85d7784ed42da94

SHA1
2b32df0d453a0e92fb588c59bba6dbe93c1e979d

SHA256
c94eb8962d1b43c0c0ef8bc9437424a36ca05c7f1f7f52a3b3e620d01b61004f

SHA512
37051b464ff18fe9ba6e0a3f9b434d04948c86840429dfe977b9d8ca1badbad85f00909b77a3583b0c38fef7bc14fb5bad8c5c0f8e9694feb6e08efb20ce78f4

Download Submit
C:\Program Files (x86)\Icecream Ebook Reader\icuuc54.dll

MD5
cce6df2eb76752ab9695d1009f1be44b

SHA1
f861a32fa38b0c02e29057fe29629f4a5d819f23

SHA256
3777b2fe49ccaa5dc681f452318bdd1768c689ce76ad15f21374c21224621e9d

SHA512
509acbebec9c9c3483134b983cf137e9574ac3cd45714aca5ca9bd7bbb38b90599eda89f11ced99fbb1ae41a9de688ae8c040edbb3b7a28b07167fe7f6131fec

Download Submit
C:\Program Files (x86)\Icecream Ebook Reader\libEGL.dll

MD5
66a7ad029e0754f047d67766770258c6

SHA1
5178b01b261ae350a849893975256e12867fc91b

SHA256
bc3831a30260613c9a344b24ea11bbb56449fcf112a1dd7205adebf7136c33e1

SHA512
3b6cdf557b731fce6b188263a625d07f6dde321d7983a18bb1fb4234b9a95fee8b88dcad7e959bb81fb41072f83614ed6f17a32877730128903181377f9a1be4

Download Submit
C:\Program Files (x86)\Icecream Ebook Reader\libGLESv2.dll

MD5
c36670a5ef4b5266ff22fc3396bb8d4e

SHA1
ef0cab19228af2c7caea5aa07cbf132ee07cd7d0

SHA256
0166707318459f816dca72145c3c7ab7e3c9064d76a2692b44d6e86d2a737ca2

SHA512
2b402bc61769b429f959a9ddcc4de36800b69e5b68b0caf2025bbaa5c09327af8a697d3f33e3a2a4e3f51b1bfe064b61b57105e0dd92d6f5c5f0d6ea189ddad2

Download Submit
C:\Program Files (x86)\Icecream Ebook Reader\libcurl.dll

MD5
faf0320271c29fdb11d3e0ae9a7d1836

SHA1
d3d8b7cbf531007e4884110193132a47bf8fdac9

SHA256
fb709f839909afadff9ae0032a7099d5ed07fd56eb01a9752828505278e415f5

SHA512
e79ce7d5091861f16f408fa6d784ad95058afd5aa4439140e9ac723dc51672c389694e5284e66c82c3b8f9e617d2ac2689160235a418c58c58d23f2c6b848a0b

Download Submit
C:\Program Files (x86)\Icecream Ebook Reader\quazip.dll

MD5
5de7fe11f34277530838326caa3f3790

SHA1
9a9b55b1039b84d3fa75b47d75861b30ddf64556

SHA256
20158cbfa0bc77a498ce568dcd1e6e5d6a415c089839d434dc349cce33d6a925

SHA512
595f239893edd04b6dd61eb85612d5744a80669f1a740af155d5dc7abab57a2a1d3ffc951b9c93a4758b0cb7de5ffd3b4370d0721363c581cd1bec708b740bc1

Download Submit
C:\Program Files (x86)\Icecream Ebook Reader\unrar.dll

MD5
570e94acbc5e43e7a3c217148291be4c

SHA1
684e6dc1669cc5772ea46493c17d8010554cb3d9

SHA256
cfc782faffc6fa3b602e97d2ea0d00e20873e10cc9b46160bff7ce1b5f738c0f

SHA512
fb271860d7978d2cc59d2f1ca618a27248278837317d87c032469f8561a221314b9388b61dd2942bc916c388ba74cecb4517040bf3da898be2f85cf7adc45afe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\r32q9i9\imagestore.dat

MD5
7848911cf9d2767c255d39427961badf

SHA1
f9269ac2ddcee88037a0bf3b5b553f597623e246

SHA256
bfea9c1a4a720669e70500658896c3e7a23a36b6e37d3f4ec9d7ca1a754a857d

SHA512
ca6e66e0e242415c33b6244971508d5d070a28c4c8a08ac05a32897e708ef7e5b6f715b7eeceda874207d8989100dec499524a46aba06e974e4564f66b5f5c87

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FT0QC.tmp\ebook.exe.org.tmp

MD5
b6ea91910145dacd1a87fba52b5fa76e

SHA1
c8c557fcaf3e6e7274633dfb5576a9cfda2635c4

SHA256
9141bdb8993c54e6e80b0fd38dee61203988743525344dc6579d67c140511c6c

SHA512
e6fcd6c72256dc7ce7aaa50108388af6a9fb8e458e173abbee1e64791d85bb76dab5d924b35b00a5a18f2c3735041bed44dba115fb534e45f4fdfaaabc5ad9d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FT0QC.tmp\ebook.exe.org.tmp

MD5
b6ea91910145dacd1a87fba52b5fa76e

SHA1
c8c557fcaf3e6e7274633dfb5576a9cfda2635c4

SHA256
9141bdb8993c54e6e80b0fd38dee61203988743525344dc6579d67c140511c6c

SHA512
e6fcd6c72256dc7ce7aaa50108388af6a9fb8e458e173abbee1e64791d85bb76dab5d924b35b00a5a18f2c3735041bed44dba115fb534e45f4fdfaaabc5ad9d2

Download Submit
\Program Files (x86)\Icecream Ebook Reader\CrashRpt1403.dll

MD5
a5e2253b874629df2831ff197fc789bb

SHA1
8c10efb17f6c8981d4b30b5da1cc7c6282b05f55

SHA256
f1b54decbadced4fea024dc8198454c461e7f5015def627a0556b446137d91a4

SHA512
e43b375e4d9749d06703c5d61d838ef7557cbe58b5b2f2aee2c5da8c91a134f733ccfdac68291bb0835a5b32396adc6d715fd17f21d75c75f9b1b9757e7ebeeb

Download Submit
\Program Files (x86)\Icecream Ebook Reader\Qt5Core.dll

MD5
f032e9f7231e47f88a5106d67582e136

SHA1
01dd06108020ec510898c38c8a7b2bbf7cf05c60

SHA256
6426b33f7c9b48d151159c5fd3e90e8a5aae809bea2a5f467c307812e8678ae9

SHA512
8e21e6cb24c471e65867f45fe95cc6e1143dacd5231fe1d230efd51b4d9c1ac02d8e20e9fd090561b06c13c12e3f6c7634206d626d8a9891f3f9c844b6bf42f1

Download Submit
\Program Files (x86)\Icecream Ebook Reader\Qt5Gui.dll

MD5
e84f81941b35e8d553f9ebc59daccdb5

SHA1
8a8e4f923ff9caaa8f2c78d66ce7f5de42aba514

SHA256
af830d6ea25bb708b52fcb13ee15ac6ba8f7b331d5ca8a842022307f937ab9ef

SHA512
c3dab550f4319b6cea1363534f9c2b9e5ee6717faddf3355c182ce519d4f51221760a46cc2f7aeb73ef0fa46b78cd2997fe506861e19af1704759f63e81ba586

Download Submit
\Program Files (x86)\Icecream Ebook Reader\Qt5Multimedia.dll

MD5
d9fef00d64605c4c43027b1ad6c16830

SHA1
7214d3a2173c6bf9fb7ce702bd37a345302d9c82

SHA256
537ebc0fc1d7400f729c4b2eaefc47e56b7499e912b6e49faf9c871dfca2d355

SHA512
95d63fa31888ca253a3a84bcff093eca2ad33eb49517cb531668718ca3611a9b38760a1946ce553b601daacab4c0bb33d0ac34aea1853ebcfe878be23d6b6956

Download Submit
\Program Files (x86)\Icecream Ebook Reader\Qt5MultimediaWidgets.dll

MD5
eea69ada2fdac097a7ece621a55b0427

SHA1
cc2b7c927856eb8136d201ddfa84b07d16a6eb58

SHA256
91a37022efae3062c5ee8c4aaca35f3b09816993aac95b28515e7495758f724a

SHA512
428286c404e9ba7e1637bf9afaa20ed9688ed5210f8f06873ed033a2c1ec122302391cd1193e3dbaae98d9b39a199a69f93e9aacb56f4a89276a4c6311a7fbae

Download Submit
\Program Files (x86)\Icecream Ebook Reader\Qt5Network.dll

MD5
620c06ab969b612f15a69727858bb8c9

SHA1
b71d3aa10c5678a1272423cefa521be4553fcf06

SHA256
a0e0d788b3b00605ce631b7a65b431547108047e129d82af8bb4276f92323417

SHA512
a89268346c8becca6af723b91f91a00d74fb2e3be3a0cac5f011313adb3c4138a473586a15978a470bc8c665573fa6d71a72f1688712da0a63a8b3481057778f

Download Submit
\Program Files (x86)\Icecream Ebook Reader\Qt5OpenGL.dll

MD5
6eb03665fbef3a256b38455c33fde1ca

SHA1
cf38aa9142a8ed5f3b94d815ac856e551025876a

SHA256
27e0562371659f67f92a555fa63081e916f90cd005c409e15388ef322d24690d

SHA512
2b9ecf52b08906661b28f519aa9a269d2621ff1783c2e61f06ec51d3b7ddc9831550bc849d9a6fb457209c1fc081ba82559e96c3e6df99ca77ea26e81bf7c3c7

Download Submit
\Program Files (x86)\Icecream Ebook Reader\Qt5Positioning.dll

MD5
d9e78dc77a3588875d1e4e9ccfa325c8

SHA1
4c91a20c549ecfe570dba13d5682d92db2d263ca

SHA256
9c03cbb355cc72a2fefcfe7a93c3649255f9b244643cee8b4540977d6f5cea39

SHA512
679f65edf74fbc8588d91d9332793fad3c4c766e66cc0f08ceef4cb4a02bebba355aef20087f02fe68ea2d647fcb75d080870fce343f3f2c7df485d11388b221

Download Submit
\Program Files (x86)\Icecream Ebook Reader\Qt5PrintSupport.dll

MD5
36d1f5e2b7394b3f4f36f5c436aebc67

SHA1
444ca408ff553679d88372b2d84ff612f0b7bb64

SHA256
e801c4afb2461089af182abd7c76872e2ffca35d7b5cde9fb5b18fe2432f2f65

SHA512
b44295e887d4c6a11a8199f0bc33689f85a99e7d3e4895d10ea7eb18d1e8c128448f5b0353615b937e1a11687ef19e4d6c837d7a73f567236cd3a7ac784bec71

Download Submit
\Program Files (x86)\Icecream Ebook Reader\Qt5Qml.dll

MD5
020e672f6eba759a9be4fe8aaed4dcd0

SHA1
05dd191ba1661d736c0e299098979c253cf986f8

SHA256
806fc0ead90df419f83607081937a86dbdd8294a2e66466cfe71d30d5830b1f0

SHA512
deacd9f1da17e2f12d3a2afa187a85a97454beb90f0212d2f1765acbbc7b5d6228d565b064c1498b375d5b60c7dcf1a2068c2264d6db7568870b0c2d3ce01ecd

Download Submit
\Program Files (x86)\Icecream Ebook Reader\Qt5Quick.dll

MD5
7ce631a9f912db8bbd076007bed68462

SHA1
c4a072f2aac230d32e4f9208b89190e9cf64ba25

SHA256
df39e14fa700dfa802a6945a431a8653e3e9b6729e0c9d1f356279633cc777c6

SHA512
ac5eca144c693a02724aa40e5536e0578a2d71776067f1ed83a73e7b143d7aa7bd6be232b93a3d436d4e95428ba768751be6eaf584105c66e3d3b0a1e57dba71

Download Submit
\Program Files (x86)\Icecream Ebook Reader\Qt5Sensors.dll

MD5
126e44522b6be9bf43700977dd30f8e3

SHA1
13347a2b7a15a87e971a92fb45d23c72200b3c74

SHA256
356203b3048d3514bec1545b2af0825713f5abba338d4ca697fc36e704c584d8

SHA512
6d047da0a9c915a79d07ba53444cb2abd8bf32ed6d81953005ab33518897eedad5a5a55fe5528dd67600f30f7136cabedf4f7edcdb64b125fcb2af4ba33792da

Download Submit
\Program Files (x86)\Icecream Ebook Reader\Qt5Sql.dll

MD5
e340fb3a9887ecf6cde6de8647d00ead

SHA1
bb41da73c5e44d32de21a4d0bfa8e512ea740c75

SHA256
ae27114e0bcbcbc2fd015f34fb0db4db149ca6d413edbb3722aa7f05a7fc7119

SHA512
4fc886e72f7699767a905d0db845ad174423ebe61eb603c106e3c297851ff0d8b6d0b15a397bd958b7b4ad4ae5e406d9a38094f0ba59173f516fc437be68a5d8

Download Submit
\Program Files (x86)\Icecream Ebook Reader\Qt5WebChannel.dll

MD5
5328b2a2ae291f2dabbd196fcef06790

SHA1
17cdfbbc4cf03fe7710a9985e8e9e9837049ddb2

SHA256
e1ae6310862bd88822dee201c5da0bb79237ae192339ef602c97e76af7a95b1f

SHA512
da326a0adaa1a6a83ab27a0e4d73330e7fb20e159123ae77f7a0ca848ded1939c1cfe2aeabd21573a3455d65eca7692557c2d808bf1f00e92c6edeab400ce55a

Download Submit
\Program Files (x86)\Icecream Ebook Reader\Qt5WebKit.dll

MD5
b8acdcc03cde521dfa08ef081bdbfbdb

SHA1
ccbc713e007bddd21d4f36c5f10e0a3e8dd83f8f

SHA256
32a12b3368cee4bceeae263947cff17424607c8f6a318a76a0e5530894bc6eb9

SHA512
130a5e9d1f22e7e7d3ed4613b9f2862181c2b3bae486cc023b24ceeacf8bc824afe8d7d95a58cba28e68df0a3d7a8a904b82f2279240a89f83fbf4c9211072a1

Download Submit
\Program Files (x86)\Icecream Ebook Reader\Qt5WebKitWidgets.dll

MD5
ea78a77f41a87282c89b0f2a40b9c42f

SHA1
6cdfe1bdc9a3f6e17ddb58709bff6dc7cb082b31

SHA256
25b48dbc50d12ef3d14a9e92d2a8384b68aa4d031415f3e8d1e28b3db3b198cf

SHA512
a8701e7926f1ef0315882e36c85525832fd5d29bf30801c72ee5099b9df94a8648a85aef2099eb6e36decd826851f214d3267def92b92069700255e076d8d35e

Download Submit
\Program Files (x86)\Icecream Ebook Reader\Qt5Widgets.dll

MD5
462946fc769e02a9a373c1ce84e7daf9

SHA1
c73c0ea32300123780d8c43c58240d14e9e0b3c3

SHA256
e6170d8a69164898453388e165efb688d4c769cdeee6b99cdad2b142d8b20d26

SHA512
b722117ec8bc8b7aa1ba8e3bd538a3a4c322c0b4e4160d8da42616e4160940f19cc27212caed913e8a595d8b788f27fb0e90e86bc3d6be1e695d974b059d62b2

Download Submit
\Program Files (x86)\Icecream Ebook Reader\ebookreader.exe

MD5
c837214f0411d8c5a01b822ffc83c70c

SHA1
6b6d9073ac83a6214ec1b23ccb015385c7a728a5

SHA256
1a07fe5eebda497f39e6bfd3e60fae6cf6056387fc4a71a4fe895b165dd919ba

SHA512
eab1b509485eb330a7b77ba5306b87dbdc3e4c477e2396d6eff323c4eca4f94f9e3d1f4f56e76928bbcd6319c8d79232487c6c032bbd08340e400352c7aa9bc1

Download Submit
\Program Files (x86)\Icecream Ebook Reader\ebookreader.exe

MD5
c837214f0411d8c5a01b822ffc83c70c

SHA1
6b6d9073ac83a6214ec1b23ccb015385c7a728a5

SHA256
1a07fe5eebda497f39e6bfd3e60fae6cf6056387fc4a71a4fe895b165dd919ba

SHA512
eab1b509485eb330a7b77ba5306b87dbdc3e4c477e2396d6eff323c4eca4f94f9e3d1f4f56e76928bbcd6319c8d79232487c6c032bbd08340e400352c7aa9bc1

Download Submit
\Program Files (x86)\Icecream Ebook Reader\icudt54.dll

MD5
ca0e74958884e456b68d03dc20d4a3d5

SHA1
9aa28265d471596a365c678f95acede8fe3a0975

SHA256
5bf6f21732cfbba2b0aa041d4c35a360ae820c39abd71578ef0611af3cf9a556

SHA512
78d6c6ca78832f630022f523354e473cc92a1cd522a6644ad82cd6d633bf73a201980e993487a267d6fc96b02599fc861b2e4b1433ae013b37e32786a0ef16e0

Download Submit
\Program Files (x86)\Icecream Ebook Reader\icuin54.dll

MD5
89a5cd795698c6a3b85d7784ed42da94

SHA1
2b32df0d453a0e92fb588c59bba6dbe93c1e979d

SHA256
c94eb8962d1b43c0c0ef8bc9437424a36ca05c7f1f7f52a3b3e620d01b61004f

SHA512
37051b464ff18fe9ba6e0a3f9b434d04948c86840429dfe977b9d8ca1badbad85f00909b77a3583b0c38fef7bc14fb5bad8c5c0f8e9694feb6e08efb20ce78f4

Download Submit
\Program Files (x86)\Icecream Ebook Reader\icuuc54.dll

MD5
cce6df2eb76752ab9695d1009f1be44b

SHA1
f861a32fa38b0c02e29057fe29629f4a5d819f23

SHA256
3777b2fe49ccaa5dc681f452318bdd1768c689ce76ad15f21374c21224621e9d

SHA512
509acbebec9c9c3483134b983cf137e9574ac3cd45714aca5ca9bd7bbb38b90599eda89f11ced99fbb1ae41a9de688ae8c040edbb3b7a28b07167fe7f6131fec

Download Submit
\Program Files (x86)\Icecream Ebook Reader\libEGL.dll

MD5
66a7ad029e0754f047d67766770258c6

SHA1
5178b01b261ae350a849893975256e12867fc91b

SHA256
bc3831a30260613c9a344b24ea11bbb56449fcf112a1dd7205adebf7136c33e1

SHA512
3b6cdf557b731fce6b188263a625d07f6dde321d7983a18bb1fb4234b9a95fee8b88dcad7e959bb81fb41072f83614ed6f17a32877730128903181377f9a1be4

Download Submit
\Program Files (x86)\Icecream Ebook Reader\libGLESv2.dll

MD5
c36670a5ef4b5266ff22fc3396bb8d4e

SHA1
ef0cab19228af2c7caea5aa07cbf132ee07cd7d0

SHA256
0166707318459f816dca72145c3c7ab7e3c9064d76a2692b44d6e86d2a737ca2

SHA512
2b402bc61769b429f959a9ddcc4de36800b69e5b68b0caf2025bbaa5c09327af8a697d3f33e3a2a4e3f51b1bfe064b61b57105e0dd92d6f5c5f0d6ea189ddad2

Download Submit
\Program Files (x86)\Icecream Ebook Reader\libcurl.dll

MD5
faf0320271c29fdb11d3e0ae9a7d1836

SHA1
d3d8b7cbf531007e4884110193132a47bf8fdac9

SHA256
fb709f839909afadff9ae0032a7099d5ed07fd56eb01a9752828505278e415f5

SHA512
e79ce7d5091861f16f408fa6d784ad95058afd5aa4439140e9ac723dc51672c389694e5284e66c82c3b8f9e617d2ac2689160235a418c58c58d23f2c6b848a0b

Download Submit
\Program Files (x86)\Icecream Ebook Reader\msvcp120.dll

MD5
fd5cabbe52272bd76007b68186ebaf00

SHA1
efd1e306c1092c17f6944cc6bf9a1bfad4d14613

SHA256
87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608

SHA512
1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5

Download Submit
\Program Files (x86)\Icecream Ebook Reader\msvcr100.dll

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
\Program Files (x86)\Icecream Ebook Reader\msvcr120.dll

MD5
034ccadc1c073e4216e9466b720f9849

SHA1
f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1

SHA256
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f

SHA512
5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

Download Submit
\Program Files (x86)\Icecream Ebook Reader\quazip.dll

MD5
5de7fe11f34277530838326caa3f3790

SHA1
9a9b55b1039b84d3fa75b47d75861b30ddf64556

SHA256
20158cbfa0bc77a498ce568dcd1e6e5d6a415c089839d434dc349cce33d6a925

SHA512
595f239893edd04b6dd61eb85612d5744a80669f1a740af155d5dc7abab57a2a1d3ffc951b9c93a4758b0cb7de5ffd3b4370d0721363c581cd1bec708b740bc1

Download Submit
\Program Files (x86)\Icecream Ebook Reader\unrar.dll

MD5
570e94acbc5e43e7a3c217148291be4c

SHA1
684e6dc1669cc5772ea46493c17d8010554cb3d9

SHA256
cfc782faffc6fa3b602e97d2ea0d00e20873e10cc9b46160bff7ce1b5f738c0f

SHA512
fb271860d7978d2cc59d2f1ca618a27248278837317d87c032469f8561a221314b9388b61dd2942bc916c388ba74cecb4517040bf3da898be2f85cf7adc45afe

Download Submit
\Users\Admin\AppData\Local\Temp\is-FT0QC.tmp\ebook.exe.org.tmp

MD5
b6ea91910145dacd1a87fba52b5fa76e

SHA1
c8c557fcaf3e6e7274633dfb5576a9cfda2635c4

SHA256
9141bdb8993c54e6e80b0fd38dee61203988743525344dc6579d67c140511c6c

SHA512
e6fcd6c72256dc7ce7aaa50108388af6a9fb8e458e173abbee1e64791d85bb76dab5d924b35b00a5a18f2c3735041bed44dba115fb534e45f4fdfaaabc5ad9d2

Download Submit
memory/480-149-0x0000000000720000-0x000000000083D000-memory.dmp

Filesize
1.1MB

Download
memory/480-147-0x0000000000000000-mapping.dmp

Download
memory/796-135-0x0000000000000000-mapping.dmp

Download
memory/964-68-0x0000000000000000-mapping.dmp

Download
memory/964-69-0x000007FEFB7E1000-0x000007FEFB7E3000-memory.dmp

Filesize
8KB

Download
memory/1008-143-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1008-137-0x0000000000000000-mapping.dmp

Download
memory/1012-145-0x0000000074591000-0x0000000074593000-memory.dmp

Filesize
8KB

Download
memory/1012-144-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1012-141-0x0000000000000000-mapping.dmp

Download
memory/1416-64-0x0000000074341000-0x0000000074343000-memory.dmp

Filesize
8KB

Download
memory/1416-59-0x0000000000000000-mapping.dmp

Download
memory/1416-63-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1420-62-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1420-55-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1424-83-0x0000000000580000-0x000000000069D000-memory.dmp

Filesize
1.1MB

Download
memory/1424-72-0x0000000000000000-mapping.dmp

Download
memory/1488-134-0x0000000000000000-mapping.dmp

Download
memory/1488-136-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1700-146-0x0000000000000000-mapping.dmp

Download
memory/1868-70-0x0000000000000000-mapping.dmp

Download