4c204c3c57bd390391434d6dbb13fa3fd5278b4a3cdd380aae3210874758949a

Analysis

max time kernel
34s
max time network
41s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 05:51

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
Size

6.6MB
MD5

b106c4f51cd1d39f7b73b7cbaff20a96
SHA1

dabcf8dd348dd0e3da2cd04db9a65460370b69c0
SHA256

4c204c3c57bd390391434d6dbb13fa3fd5278b4a3cdd380aae3210874758949a
SHA512

9d3bb75629a42dd1e682f05f65f7956ff029030b3b2007adb3e29ceac2869f68cc1c98f91bcdfdde484f66bdc5b7d4fbd98d4cf74abb34eab0a34da97d49b332
SSDEEP

196608:PlqXMq+fGQkZFctnpmjaioinp+W5kNfbsnDZxOT26DN:wfG7fp26DN

Score

10^/10

bootkit persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Windows\\system32\\HkApp.exe"	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\11 = "C:\\Windows\\SysWOW64\\HkApp.exe"	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
2988	GDesServer.exe

Loads dropped DLL 8 IoCs

pid	Process
2952	regsvr32.exe
1964	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
1964	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
2988	GDesServer.exe
2988	GDesServer.exe
2988	GDesServer.exe
2988	GDesServer.exe
2988	GDesServer.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\MACHINE = "QM00013"	GDesServer.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	GDesServer.exe

Drops file in System32 directory 53 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PDMClient.dll	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\PDMClient.gss	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\GDesServer.exe	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\config\systemprofile\Temp\HkApiini.ini	GDesServer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\Temp\HkApp.ini	GDesServer.exe
File created	C:\Windows\SysWOW64\HkInstall.dll	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\PDMClient.gss.SChinese.XML	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\config\systemprofile\Temp\HkApp.ini	GDesServer.exe
File opened for modification	C:\Windows\SysWOW64\HkSys.cpy	GDesServer.exe
File created	C:\Windows\SysWOW64\Thumbs.db	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File opened for modification	C:\Windows\SysWOW64\HkSys.cpy	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\DES_LAN.gss.TChinese.XML	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\hkcore32.dll	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\HookProc.dll	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\ws2_32d.dll	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\DES_LAN.gss.SChinese.XML	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\HkApp.exe	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\DES_LAN.gss.English.XML	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\HkApiIni.ini	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\licdataOd	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\HkSys.cpy	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\GSDES.lic	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\DES_LAN.gss	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\PDMClient.gss.English.XML	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\HkSys.dll.ole	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\DesInitScan.exe	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\MessageDispose.dll	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\licdatOd	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\msvcr71.dll	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\DES_LAN.gss.Japan.XML	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\DesPdm.dll	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\gsmake.exe	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\HkSys.dll	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\about.bmp	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\HkSys.bak	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\HkSys.bak.ole	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\PDMClient.gss.TChinese.XML	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\setup_client.ini	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\DogDll.dll	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\HkApi.dll	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\MFC71.dll	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\SocketDll.dll	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\licdata	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\DES_LAN.gss.inf	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\HkApp.ini	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\DesConfig.ini	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\wrar.exe	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File opened for modification	C:\Windows\SysWOW64\DES_Lan.gss.inf	GDesServer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\Temp\HkApiini.ini	GDesServer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\Temp\HkApiIni.ini	GDesServer.exe
File created	C:\Windows\SysWOW64\GSDES.licOd	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\ws2_32e.dll	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\licdat	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\MMC\{74246bfc-4c96-11d0-abef-0020af6b0b7a}	GDesServer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDeletePrinter = "0"	GDesServer.exe
Key created	\REGISTRY\USER\.DEFAULT\software\Policies\Microsoft\MMC\{74246bfc-4c96-11d0-abef-0020af6b0b7a}	GDesServer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies	GDesServer.exe
Key created	\REGISTRY\USER\.DEFAULT\software\microsoft\windows\CurrentVersion\Policies\Explorer	GDesServer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\microsoft	GDesServer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoAddPrinter = "0"	GDesServer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\MMC	GDesServer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\MMC\{74246bfc-4c96-11d0-abef-0020af6b0b7a}\Restrict_Run = "0"	GDesServer.exe
Key created	\REGISTRY\USER\.DEFAULT\software\Policies\Microsoft\MMC\{90087284-d6d6-11d0-8353-00a0c90640bf}	GDesServer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\MMC\{90087284-d6d6-11d0-8353-00a0c90640bf}\Restrict_Run = "0"	GDesServer.exe
Key created	\REGISTRY\USER\.DEFAULT\software	GDesServer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	GDesServer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	GDesServer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft	GDesServer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\windows	GDesServer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	GDesServer.exe

Modifies registry class 38 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92BE96D6-68D2-4784-81EC-C1346924DA85}\TypeLib\ = "{281B510B-B688-4993-9059-AFA0F51E9F4E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{0CC13972-8947-4C01-9625-66A8BF2262FE}	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GDesServer.EXE	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GDesServer.EXE\AppID = "{0CC13972-8947-4C01-9625-66A8BF2262FE}"	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA29B300-3EA0-4DD2-B2F8-3CC519BFA948}\ = "DesPdm Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\DesPdm\ = "{EA29B300-3EA0-4DD2-B2F8-3CC519BFA948}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92BE96D6-68D2-4784-81EC-C1346924DA85}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92BE96D6-68D2-4784-81EC-C1346924DA85}\TypeLib\ = "{281B510B-B688-4993-9059-AFA0F51E9F4E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\DesPdm	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{281B510B-B688-4993-9059-AFA0F51E9F4E}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{281B510B-B688-4993-9059-AFA0F51E9F4E}\1.0\HELPDIR\ = "C:\\Windows\\system32"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92BE96D6-68D2-4784-81EC-C1346924DA85}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92BE96D6-68D2-4784-81EC-C1346924DA85}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{0CC13972-8947-4C01-9625-66A8BF2262FE}\LocalService = "GDesServer"	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{0CC13972-8947-4C01-9625-66A8BF2262FE}\ServiceParameters = "-install"	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA29B300-3EA0-4DD2-B2F8-3CC519BFA948}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{281B510B-B688-4993-9059-AFA0F51E9F4E}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{281B510B-B688-4993-9059-AFA0F51E9F4E}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{281B510B-B688-4993-9059-AFA0F51E9F4E}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92BE96D6-68D2-4784-81EC-C1346924DA85}\ = "IDesPdm"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA29B300-3EA0-4DD2-B2F8-3CC519BFA948}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{281B510B-B688-4993-9059-AFA0F51E9F4E}\1.0\ = "DedPdmDll 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{281B510B-B688-4993-9059-AFA0F51E9F4E}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA29B300-3EA0-4DD2-B2F8-3CC519BFA948}\InprocServer32\ = "C:\\Windows\\SysWow64\\DesPdm.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92BE96D6-68D2-4784-81EC-C1346924DA85}\ = "IDesPdm"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\DesPdm	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92BE96D6-68D2-4784-81EC-C1346924DA85}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92BE96D6-68D2-4784-81EC-C1346924DA85}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{281B510B-B688-4993-9059-AFA0F51E9F4E}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{281B510B-B688-4993-9059-AFA0F51E9F4E}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\DesPdm.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92BE96D6-68D2-4784-81EC-C1346924DA85}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92BE96D6-68D2-4784-81EC-C1346924DA85}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92BE96D6-68D2-4784-81EC-C1346924DA85}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA29B300-3EA0-4DD2-B2F8-3CC519BFA948}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\DesPdm\ = "{EA29B300-3EA0-4DD2-B2F8-3CC519BFA948}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{281B510B-B688-4993-9059-AFA0F51E9F4E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92BE96D6-68D2-4784-81EC-C1346924DA85}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92BE96D6-68D2-4784-81EC-C1346924DA85}\TypeLib\Version = "1.0"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1964	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
2988	GDesServer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1964	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1964	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
1964	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2952	1964	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe	28
PID 1964 wrote to memory of 2952	1964	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe	28
PID 1964 wrote to memory of 2952	1964	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe	28
PID 1964 wrote to memory of 2952	1964	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe	28
PID 1964 wrote to memory of 2952	1964	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe	28
PID 1964 wrote to memory of 2952	1964	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe	28
PID 1964 wrote to memory of 2952	1964	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe"
1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s C:\Windows\system32\DesPdm.dll
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:2952

C:\Windows\SysWOW64\GDesServer.exe
C:\Windows\SysWOW64\GDesServer.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2988

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1460

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DES_LAN.gss.English.XML

Filesize
102KB

MD5
b4fd0cba2cb35bbcc0e3b634898d6121

SHA1
f0a9d6351174f98e6d296d8db16a9a4a0447274b

SHA256
918d56c467ef1479c2807ea259b96da55d148c475c6dc1151985adcff0602cd3

SHA512
a387c70581a47aadc2bba6ceba75d942f8d3a4f424f01268864c0cf372e32c5a207befc5417ce9592ff4ba52459ba74ec48f6821cb66b13b1735ec676e06d595

Download Submit
C:\Windows\SysWOW64\DES_LAN.gss.Japan.XML

Filesize
101KB

MD5
1a1350bf3ebc285593d8cbf08070849f

SHA1
8a78212ad4f512307e8fcb63cec5b3c978987697

SHA256
57edafd850a905ff7380ccfcb42482f23e2cd0ce230017093293c70728c9614b

SHA512
6e897a86137d587c7d4c81cd06407db9c13bb1f019840a42d2adf09095bd74807111837f1773fb21d9f8f315c7e27d9a388f1b115f757fae3acf6860fe29d471

Download Submit
C:\Windows\SysWOW64\DES_LAN.gss.SChinese.XML

Filesize
85KB

MD5
b778b5bae1cab77e3c45520f7a57300c

SHA1
167c0b015dd1dc7940bcc35c02bef132ee36aee6

SHA256
7149b659030f06c6561099380f3c2755c286ca5a58aead4bd0cb523de147ef83

SHA512
6fc68a35283a296bbdb5debf610e5839bffb7caf0ab90cd0c143933aafed679ee085fe32a674b9f917407b155a1dee8bd27014f4b75f61869e2df26c5885fc79

Download Submit
C:\Windows\SysWOW64\DES_LAN.gss.TChinese.XML

Filesize
85KB

MD5
dcb4f79f84fe1e9c4849f59cb0f62eb4

SHA1
d73d663d5517cd61b6c1ca9dd3afde700c894f33

SHA256
275154e9d38ab347434e8bf0c8bbc8d61c53b6cbd3c7aa928fd9fbb5288900a3

SHA512
a5eda0a32c2cefb1160197ce47ed7d31091bcb90a5a22eb6dc507cfe5c69bc687309d926660525e62829e3967def24cf72771351008529cc304d7e4b1675cf9d

Download Submit
C:\Windows\SysWOW64\DES_LAN.gss.inf

Filesize
61B

MD5
dd8c980be259f32ecbcb21ab32428007

SHA1
f045043a9c3ed1768e0ae93df5b3c5049a344a61

SHA256
716544103a53660c4360b1ab2745da22ffff9ebdf84096e2b521b63701bf5807

SHA512
15d31239d7704fab1d9f9c4b3e801db6e176f84ae26a98e6c11e87ee85d0814d56fda5a2deb8ed816a623fa6a5d8449f8d6811aaa34087df3cd2623e66cd29d0

Download Submit
C:\Windows\SysWOW64\DES_Lan.gss

Filesize
131B

MD5
cb8c944b93bdcb339f69cd32e908b818

SHA1
c4e2bbb80192692a4027d05f04fcad18ac4b1644

SHA256
1bb2452c22d97c69f9b36151a7d1de804904c6c6e037645563a92f95be5b9653

SHA512
eae89c60dc4f41ad6a6b69fef72d3234c67dcaf9b2f1eba536254b1ca10c2e86a4a1a6ff3b12aeb4bce408538702e6c98aa6116ea250059027fc1e920e67e73d

Download Submit
C:\Windows\SysWOW64\DES_Lan.gss.inf

Filesize
61B

MD5
dd8c980be259f32ecbcb21ab32428007

SHA1
f045043a9c3ed1768e0ae93df5b3c5049a344a61

SHA256
716544103a53660c4360b1ab2745da22ffff9ebdf84096e2b521b63701bf5807

SHA512
15d31239d7704fab1d9f9c4b3e801db6e176f84ae26a98e6c11e87ee85d0814d56fda5a2deb8ed816a623fa6a5d8449f8d6811aaa34087df3cd2623e66cd29d0

Download Submit
C:\Windows\SysWOW64\DesConfig.ini

Filesize
121B

MD5
38a48e7cae775b1f7204ef53258b54ae

SHA1
dc36a3bcf1b111cf313d26b6495a92445ce7618a

SHA256
0b4a54a2047652643d7b36ceef8916a9f10a268c04e01da17eb6ba9cffaf5d3f

SHA512
ea45e84db28c81ec0214f67fde59c8ea54cfbe816034c4197144c92ce9d600ff83aa5d794cc0300a84f02b35024fb1e9d3c7802d09fd9187491fb133d9ce0457

Download Submit
C:\Windows\SysWOW64\DesPdm.dll

Filesize
40KB

MD5
d0595bd3179fc15d8b060a66740ed9d3

SHA1
e345f4ce4870f5e15fdc34f46d8bfaf8ab3a6e58

SHA256
08bb70983da155809bd4f9cd23b4f684f1165a2980db8243f7b6f584c8be6c68

SHA512
a90d76ae3cf55c2ad818a945e5a57400422010920b7754034868ff4b9a8b6233d4157750e12b90bf0467c82a12fffee2c36b4cfbb881f47537bb7bf2ff0cb8a8

Download Submit
C:\Windows\SysWOW64\GDesServer.exe

Filesize
272KB

MD5
8c5a43215af69781aff444ce44b932f6

SHA1
902d9e0942a91b9780ec8185247957f6d46d05c9

SHA256
da750e3d246368496b3ae7da341c8a897dec52a73f3d36b8781e678c8f9dc829

SHA512
266b533682e2754cd3b9dea9e196513dfa3a7cf24265cb67e80c55670218b97d34d21bab53f70ae036585dd8a1f26e1b1868f8167def58f68934b13a3333dac6

Download Submit
C:\Windows\SysWOW64\GSDES.lic

Filesize
814B

MD5
e0dfac6e9045b5ef0c0c7ebea9d1f9cb

SHA1
190ed673bf88878eaf109d795f6646728579d276

SHA256
58a44a93d886092c0fa7dfbc8762d04b674224b0690142f7430107791be4d117

SHA512
be1289738d59a344975e795bdc9c16f5d683bcf5ef414d9dc2109db19851a53a27bd1eaaa1580e675ab9f9f0c24bf50a552a84492ed44d5b6f12da8904f64161

Download Submit
C:\Windows\SysWOW64\HkApiini.ini

Filesize
889B

MD5
d3fdf4a695a45990872912cd9ffc4772

SHA1
01585620d952f1c391e36d7f255e34ae6dcce1a0

SHA256
b7686970309527398eb7c59cb5845d0ad3c6646f80ae53f039b17c28eda017d5

SHA512
0952fc6f3d3ddccafbd52acd6b6e2577d38584f9ae1e7839d7b34a2d0d6c8500924ae28bdf97b5f59bfca6f5a6646db9b68683908728449f7ad49ec484164704

Download Submit
C:\Windows\SysWOW64\HkApp.ini

Filesize
61B

MD5
4a8b30b8c32287596c83d7f4d3495aa2

SHA1
f9ff81a1f44fbfa36c765d576f8fd7847a68a65f

SHA256
fd67b5eae24db36dd1891094eda9e7d2ec845fe0162dbc1cdf82570b0f3d9185

SHA512
b2e692e20dd19e053eaa926ff431e3a565cb8b3a7132cf866ba3cd94e9dadac10e3a0d8dbe2e1ea54d8cc72b56b11b1687e348d9b9862ff55d68295d30fb9c79

Download Submit
C:\Windows\SysWOW64\HkSys.bak

Filesize
32KB

MD5
838dfafad9dfb6c90db35f3eab0945bb

SHA1
f67a3270da652035a3f25c0619b1eb4077357541

SHA256
c8d5a8e49b42dc9608ef8286425abeb2ff2b8147aee8d1f4fbcf901d7a464b05

SHA512
dda18e90553ba8992b6b89bc6cc15307fda004543ffdd804279a8f3dd3da203c9e301d8cd98d4ed2755d7b8d3789e5e5a9f51ef654914d6c43e99b523eef03d7

Download Submit
C:\Windows\SysWOW64\HkSys.cpy

Filesize
32KB

MD5
838dfafad9dfb6c90db35f3eab0945bb

SHA1
f67a3270da652035a3f25c0619b1eb4077357541

SHA256
c8d5a8e49b42dc9608ef8286425abeb2ff2b8147aee8d1f4fbcf901d7a464b05

SHA512
dda18e90553ba8992b6b89bc6cc15307fda004543ffdd804279a8f3dd3da203c9e301d8cd98d4ed2755d7b8d3789e5e5a9f51ef654914d6c43e99b523eef03d7

Download Submit
C:\Windows\SysWOW64\MFC71.DLL

Filesize
1.0MB

MD5
f35a584e947a5b401feb0fe01db4a0d7

SHA1
664dc99e78261a43d876311931694b6ef87cc8b9

SHA256
4da5efdc46d126b45daeee8bc69c0ba2aa243589046b7dfd12a7e21b9bee6a32

SHA512
b1ced222c3b7e63e22d093c8aa3467f5ea20312fe76a112baed7c63d238bbe8dee94dfe8f42474f7b1de7aa7acb8ba8e2b36fdd0a3cda83ee85ac9a34f859fa4

Download Submit
C:\Windows\SysWOW64\MSVCR71.dll

Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
C:\Windows\SysWOW64\MessageDispose.dll

Filesize
644KB

MD5
065a42021f9b517557488365ee5817e0

SHA1
729f871f23b0e49175116a89c3c3f7619ca2083d

SHA256
66adabc3267ce9350aba2c2966e41b3b36ed676ae709dffe828be3555552a3b5

SHA512
5cde7f22b27c7f5fc9a4bf5e73359f9663214904516da5c5e9e87bb3e437d435802c6bd3f2d552f0726fe0dd4bdfd99c96617a3c6b8d6dec21e9997143cfc862

Download Submit
C:\Windows\SysWOW64\PDMClient.dll

Filesize
132KB

MD5
1f33193c40c37936e9bf679d461ae7ef

SHA1
1bb634b3df9ab29c689972abb9b76c9e59ebd469

SHA256
41a7919a5cc1b390e03577472aa1b7c2b89f5a1866e3152fd87586fb028a8cca

SHA512
ec4cb826f577862b43d8866ac26f50b0153cb954e4b89dfda9320331184a5e436702b6b4b1ea7263243743d53b0eef3148ac86e57e25df54e03a515369d25f40

Download Submit
C:\Windows\SysWOW64\PDMClient.gss

Filesize
160B

MD5
76844c1af9fe129a036c83e20d84d682

SHA1
62f9c76c3c1c697b20276334888e5bc811a5011e

SHA256
dd6fb3f3ab931f051956a58b7c25747a91db9491129752429dcd00cfbdce3b2a

SHA512
2b1408a379373990f636ecbe84c8ae85d412b45502e694445df11fce3ec01ca80d5217641a2d437a560ccaad41e6a85ef3569b500522f94a82fdd0bb7a14b810

Download Submit
C:\Windows\SysWOW64\PDMClient.gss.English.XML

Filesize
770B

MD5
9bac85b4a45027c82c137363ba58d366

SHA1
5cf641ac8e82eacfb7ae064418117bcd1448a4e6

SHA256
b567043d177c810004f635cf73913bdc6cf1ed86b916792e840edfbff3bad8f0

SHA512
5f228a7d5a79b48c5740cdd0804742a7a92aaf31a209faf7749ecd12522641a1e325a686a13e31697637c17755e90bdc3a44c268fce9d2f6e4985d3e00950ff1

Download Submit
C:\Windows\SysWOW64\PDMClient.gss.SChinese.XML

Filesize
698B

MD5
95d5d162e7bcca4dd85c7b80805520d3

SHA1
438b50e2292aa5a1131471cd5594773cc9406a3c

SHA256
653a2c3168dc288164274da4dd6d020c50bb6188fa941b0dbd1d24f458ce132a

SHA512
77dfd931a02915ce7b3d32cf5acfc14fb64d7b7ab26f42ab254e0802de5179828bb50b04c22afa40e51898ef17e7e9b298e4f3def417158f9f6ed5a34e2c13d2

Download Submit
C:\Windows\SysWOW64\PDMClient.gss.TChinese.XML

Filesize
702B

MD5
802e707048898ca4cf0480f094a8c410

SHA1
8eec25b234fb2a1365da6638dbb596500a66b4dd

SHA256
bcbb37e03d4e5204eb068b928ac25b864513f010b083099c1ca28098bdd81392

SHA512
5273f3b619d0b01dcd3e59fae9ac9225208d334b2fe1da789c3073ff6e7891b314633895e51259b11c1c7cc56c01004b0e8fe4f960105494d75ca464305c9b73

Download Submit
C:\Windows\SysWOW64\SocketDll.dll

Filesize
587KB

MD5
115a8a720e284cfd72d0cc1e89ed745f

SHA1
080f3bd2e51b0e8c9ec9495cea6663130e911656

SHA256
5a79161b3d7dc431acb89895991e11e0aa092550cf7b2924bd45c4b75b572c60

SHA512
b2f2a0daa0d2822c3f3b11112ce6fbedac6a248e9d4576dc0617fb25039a345e0552adeae7787d49684ff69e514f2c60bd03fa0762e769206adc558d62227daf

Download Submit
C:\Windows\SysWOW64\config\systemprofile\Temp\HkApiini.ini

Filesize
889B

MD5
e2ee659a13542cae1aa444cf44100c10

SHA1
d32576a4c27ebdf8a61b50a5a146d9419a4daaed

SHA256
228e00f641994403d3f890725b106e3f89933dbb90911bdaefc0e9ad12a80d5f

SHA512
4d49dddfe651fbd6ad24e66f483a6398ae3c1f0cb35b1e4693dd93f98e43952533500b19bcb67f00ba9561c03a73b5ea3cae3c44ff13ec6605095aaa1fb86589

Download Submit
C:\Windows\SysWOW64\config\systemprofile\Temp\HkApp.ini

Filesize
61B

MD5
f855ac45d227edbd3eafe2fc4ab555ea

SHA1
0181ff71ac9fdc6fb1c05530aeafd65b4fce0f45

SHA256
caa45a5696d539c6fcf6782819ecd3b365cbe554db70430dc30641fa522f3099

SHA512
3e4b8954480d99dc7fbbf491721fa4202d19a2673f602fc895bef42e985e119823105bd7f97256d59d2c744506a5088ae25a1d37ef8eafe8217a1b245d1abba0

Download Submit
C:\Windows\SysWOW64\licdat

Filesize
512B

MD5
bf619eac0cdf3f68d496ea9344137e8b

SHA1
5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5

SHA256
076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560

SHA512
df40d4a774e0b453a5b87c00d6f0ef5d753143454e88ee5f7b607134598294c7905ccbcf94bbc46e474db6eb44e56a6dbb6d9a1be9d4fb5d1b5f2d0c6ed34bfe

Download Submit
C:\Windows\SysWOW64\licdata

Filesize
160B

MD5
f5526d9d6d7f4e8058a643d9d0b29a19

SHA1
c4f35a46bdf54e9098a92eb8a96f2e42142cadc2

SHA256
72bab480b23d18a509f10dcfc032ff67281a5b68692d6620a147801700808e5c

SHA512
ccc4689106ddced22abc50b0fca90b58cdaacf2e2232fda63f61382bf736882f2ca2d90325ba1411fdbc6165a0b5ad02d95a637ef3c28d0354e35aba902e8a2c

Download Submit
\Windows\SysWOW64\DesPdm.dll

Filesize
40KB

MD5
d0595bd3179fc15d8b060a66740ed9d3

SHA1
e345f4ce4870f5e15fdc34f46d8bfaf8ab3a6e58

SHA256
08bb70983da155809bd4f9cd23b4f684f1165a2980db8243f7b6f584c8be6c68

SHA512
a90d76ae3cf55c2ad818a945e5a57400422010920b7754034868ff4b9a8b6233d4157750e12b90bf0467c82a12fffee2c36b4cfbb881f47537bb7bf2ff0cb8a8

Download Submit
\Windows\SysWOW64\HkInstall.dll

Filesize
92KB

MD5
e789692424b5acb1f6d98667f2e84049

SHA1
a9eb923154093369deacc5b04d50f6116724152b

SHA256
4dfad73c30995da503194e813a39d148e800847210d4e0067aeae4cd79300dc7

SHA512
55ce44b23636d0f6b52991faffa75f791faaa0875390b5e396f12fe2ef0b32b87fd1bca64730e43f95f8fcb0e3ef8cf5279c33f8d8a7895ecda7d00f61b9339b

Download Submit
\Windows\SysWOW64\HkInstall.dll

Filesize
92KB

MD5
e789692424b5acb1f6d98667f2e84049

SHA1
a9eb923154093369deacc5b04d50f6116724152b

SHA256
4dfad73c30995da503194e813a39d148e800847210d4e0067aeae4cd79300dc7

SHA512
55ce44b23636d0f6b52991faffa75f791faaa0875390b5e396f12fe2ef0b32b87fd1bca64730e43f95f8fcb0e3ef8cf5279c33f8d8a7895ecda7d00f61b9339b

Download Submit
\Windows\SysWOW64\MFC71.dll

Filesize
1.0MB

MD5
f35a584e947a5b401feb0fe01db4a0d7

SHA1
664dc99e78261a43d876311931694b6ef87cc8b9

SHA256
4da5efdc46d126b45daeee8bc69c0ba2aa243589046b7dfd12a7e21b9bee6a32

SHA512
b1ced222c3b7e63e22d093c8aa3467f5ea20312fe76a112baed7c63d238bbe8dee94dfe8f42474f7b1de7aa7acb8ba8e2b36fdd0a3cda83ee85ac9a34f859fa4

Download Submit
\Windows\SysWOW64\MessageDispose.dll

Filesize
644KB

MD5
065a42021f9b517557488365ee5817e0

SHA1
729f871f23b0e49175116a89c3c3f7619ca2083d

SHA256
66adabc3267ce9350aba2c2966e41b3b36ed676ae709dffe828be3555552a3b5

SHA512
5cde7f22b27c7f5fc9a4bf5e73359f9663214904516da5c5e9e87bb3e437d435802c6bd3f2d552f0726fe0dd4bdfd99c96617a3c6b8d6dec21e9997143cfc862

Download Submit
\Windows\SysWOW64\PDMClient.dll

Filesize
132KB

MD5
1f33193c40c37936e9bf679d461ae7ef

SHA1
1bb634b3df9ab29c689972abb9b76c9e59ebd469

SHA256
41a7919a5cc1b390e03577472aa1b7c2b89f5a1866e3152fd87586fb028a8cca

SHA512
ec4cb826f577862b43d8866ac26f50b0153cb954e4b89dfda9320331184a5e436702b6b4b1ea7263243743d53b0eef3148ac86e57e25df54e03a515369d25f40

Download Submit
\Windows\SysWOW64\SocketDll.dll

Filesize
587KB

MD5
115a8a720e284cfd72d0cc1e89ed745f

SHA1
080f3bd2e51b0e8c9ec9495cea6663130e911656

SHA256
5a79161b3d7dc431acb89895991e11e0aa092550cf7b2924bd45c4b75b572c60

SHA512
b2f2a0daa0d2822c3f3b11112ce6fbedac6a248e9d4576dc0617fb25039a345e0552adeae7787d49684ff69e514f2c60bd03fa0762e769206adc558d62227daf

Download Submit
\Windows\SysWOW64\msvcr71.dll

Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
memory/1460-218-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1496-221-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/2988-195-0x0000000002FD0000-0x0000000003070000-memory.dmp

Filesize
640KB

Download
memory/2988-201-0x0000000001E50000-0x0000000001EFE000-memory.dmp

Filesize
696KB

Download
memory/2988-202-0x0000000002FD0000-0x0000000003070000-memory.dmp

Filesize
640KB

Download
memory/2988-203-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2988-200-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2988-138-0x0000000001E50000-0x0000000001EFE000-memory.dmp

Filesize
696KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads