4c204c3c57bd390391434d6dbb13fa3fd5278b4a3cdd380aae3210874758949a

Analysis

max time kernel
18s
max time network
70s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 05:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
Size

6.6MB
MD5

b106c4f51cd1d39f7b73b7cbaff20a96
SHA1

dabcf8dd348dd0e3da2cd04db9a65460370b69c0
SHA256

4c204c3c57bd390391434d6dbb13fa3fd5278b4a3cdd380aae3210874758949a
SHA512

9d3bb75629a42dd1e682f05f65f7956ff029030b3b2007adb3e29ceac2869f68cc1c98f91bcdfdde484f66bdc5b7d4fbd98d4cf74abb34eab0a34da97d49b332
SSDEEP

196608:PlqXMq+fGQkZFctnpmjaioinp+W5kNfbsnDZxOT26DN:wfG7fp26DN

Score

8^/10

bootkit persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\11 = "C:\\Windows\\SysWOW64\\HkApp.exe"	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
3640	GDesServer.exe

Loads dropped DLL 11 IoCs

pid	Process
1312	regsvr32.exe
3288	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
3288	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
3640	GDesServer.exe
3640	GDesServer.exe
3640	GDesServer.exe
3640	GDesServer.exe
3640	GDesServer.exe
3640	GDesServer.exe
3640	GDesServer.exe
3640	GDesServer.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\MACHINE = "QM00013"	GDesServer.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	GDesServer.exe

Drops file in System32 directory 53 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\Temp\HkApiIni.ini	GDesServer.exe
File created	C:\Windows\SysWOW64\HkApi.dll	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\HkInstall.dll	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\Temp\HkApiini.ini	GDesServer.exe
File created	C:\Windows\SysWOW64\config\systemprofile\Temp\HkApiini.ini	GDesServer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\Temp\HkApp.ini	GDesServer.exe
File created	C:\Windows\SysWOW64\PDMClient.dll	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\PDMClient.gss	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\hkcore32.dll	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\HkApp.exe	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\HkApp.ini	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\licdata	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File opened for modification	C:\Windows\SysWOW64\HkSys.cpy	GDesServer.exe
File created	C:\Windows\SysWOW64\PDMClient.gss.SChinese.XML	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\Thumbs.db	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\HkSys.dll.ole	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\MFC71.dll	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\DesInitScan.exe	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\gsmake.exe	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\HookProc.dll	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\licdatOd	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\HkSys.bak.ole	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\PDMClient.gss.TChinese.XML	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\GSDES.lic	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\DES_LAN.gss.English.XML	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\DesConfig.ini	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\licdataOd	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\setup_client.ini	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\HkSys.dll	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File opened for modification	C:\Windows\SysWOW64\DES_Lan.gss.inf	GDesServer.exe
File created	C:\Windows\SysWOW64\about.bmp	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\HkSys.bak	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\config\systemprofile\Temp\HkApp.ini	GDesServer.exe
File created	C:\Windows\SysWOW64\DogDll.dll	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\GDesServer.exe	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\licdat	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\DesPdm.dll	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\GSDES.licOd	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\HkApiIni.ini	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File opened for modification	C:\Windows\SysWOW64\HkSys.cpy	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\ws2_32e.dll	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\DES_LAN.gss.inf	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\msvcr71.dll	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\HkSys.cpy	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\ws2_32d.dll	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\DES_LAN.gss.Japan.XML	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\wrar.exe	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\MessageDispose.dll	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\PDMClient.gss.English.XML	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\DES_LAN.gss	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\DES_LAN.gss.SChinese.XML	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\DES_LAN.gss.TChinese.XML	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
File created	C:\Windows\SysWOW64\SocketDll.dll	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe

Modifies data under HKEY_USERS 32 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\MMC\{90087284-d6d6-11d0-8353-00a0c90640bf}\Restrict_Run = "0"	GDesServer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\MMC\{74246bfc-4c96-11d0-abef-0020af6b0b7a}\Restrict_Run = "0"	GDesServer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "116"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	GDesServer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoAddPrinter = "0"	GDesServer.exe
Key created	\REGISTRY\USER\.DEFAULT\software\Policies\Microsoft\MMC\{74246bfc-4c96-11d0-abef-0020af6b0b7a}	GDesServer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\MMC	GDesServer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\microsoft	GDesServer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows	GDesServer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDeletePrinter = "0"	GDesServer.exe
Key created	\REGISTRY\USER\.DEFAULT\software\Policies\Microsoft\MMC\{90087284-d6d6-11d0-8353-00a0c90640bf}	GDesServer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\MMC\{74246bfc-4c96-11d0-abef-0020af6b0b7a}	GDesServer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\software	GDesServer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\software\microsoft\windows\CurrentVersion\Policies\Explorer	GDesServer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	GDesServer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	GDesServer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	GDesServer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	GDesServer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Modifies registry class 38 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\DesPdm	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\DesPdm\ = "{EA29B300-3EA0-4DD2-B2F8-3CC519BFA948}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{281B510B-B688-4993-9059-AFA0F51E9F4E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{281B510B-B688-4993-9059-AFA0F51E9F4E}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{0CC13972-8947-4C01-9625-66A8BF2262FE}\LocalService = "GDesServer"	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GDesServer.EXE\AppID = "{0CC13972-8947-4C01-9625-66A8BF2262FE}"	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA29B300-3EA0-4DD2-B2F8-3CC519BFA948}\ = "DesPdm Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA29B300-3EA0-4DD2-B2F8-3CC519BFA948}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{281B510B-B688-4993-9059-AFA0F51E9F4E}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{92BE96D6-68D2-4784-81EC-C1346924DA85}\TypeLib\ = "{281B510B-B688-4993-9059-AFA0F51E9F4E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{92BE96D6-68D2-4784-81EC-C1346924DA85}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{0CC13972-8947-4C01-9625-66A8BF2262FE}\ServiceParameters = "-install"	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{281B510B-B688-4993-9059-AFA0F51E9F4E}\1.0\ = "DedPdmDll 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{92BE96D6-68D2-4784-81EC-C1346924DA85}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{92BE96D6-68D2-4784-81EC-C1346924DA85}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92BE96D6-68D2-4784-81EC-C1346924DA85}\ = "IDesPdm"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{0CC13972-8947-4C01-9625-66A8BF2262FE}	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{281B510B-B688-4993-9059-AFA0F51E9F4E}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{281B510B-B688-4993-9059-AFA0F51E9F4E}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\DesPdm.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92BE96D6-68D2-4784-81EC-C1346924DA85}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92BE96D6-68D2-4784-81EC-C1346924DA85}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92BE96D6-68D2-4784-81EC-C1346924DA85}\TypeLib\ = "{281B510B-B688-4993-9059-AFA0F51E9F4E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92BE96D6-68D2-4784-81EC-C1346924DA85}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GDesServer.EXE	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA29B300-3EA0-4DD2-B2F8-3CC519BFA948}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{281B510B-B688-4993-9059-AFA0F51E9F4E}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{92BE96D6-68D2-4784-81EC-C1346924DA85}\ = "IDesPdm"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92BE96D6-68D2-4784-81EC-C1346924DA85}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA29B300-3EA0-4DD2-B2F8-3CC519BFA948}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\DesPdm	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{281B510B-B688-4993-9059-AFA0F51E9F4E}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{281B510B-B688-4993-9059-AFA0F51E9F4E}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92BE96D6-68D2-4784-81EC-C1346924DA85}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA29B300-3EA0-4DD2-B2F8-3CC519BFA948}\InprocServer32\ = "C:\\Windows\\SysWow64\\DesPdm.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\DesPdm\ = "{EA29B300-3EA0-4DD2-B2F8-3CC519BFA948}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{281B510B-B688-4993-9059-AFA0F51E9F4E}\1.0\HELPDIR\ = "C:\\Windows\\system32"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{92BE96D6-68D2-4784-81EC-C1346924DA85}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{92BE96D6-68D2-4784-81EC-C1346924DA85}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3288	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
3288	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
3640	GDesServer.exe
3640	GDesServer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3288	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3288	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
3288	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
4592	LogonUI.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3288 wrote to memory of 1312	3288	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe	93
PID 3288 wrote to memory of 1312	3288	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe	93
PID 3288 wrote to memory of 1312	3288	2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe	93

C:\Users\Admin\AppData\Local\Temp\2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_b106c4f51cd1d39f7b73b7cbaff20a96_icedid_JC.exe"
1⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3288
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s C:\Windows\system32\DesPdm.dll
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:1312

C:\Windows\SysWOW64\GDesServer.exe
C:\Windows\SysWOW64\GDesServer.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3640

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39a4855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\Setup.ini

Filesize
643B

MD5
f2cb392117a2704d18bacf1a0275ed7b

SHA1
739089ab6bcbf87064b5e1ebc535e95575bcdec9

SHA256
261f652e981119ee4ff825e6fd8118fe55fa9809b6f84eba84aa443c5c98d8e6

SHA512
0c0bac7af9a9262293cd87d3ea0c82b588d9b46f5a87b1f022b930b2005c6a9f84d4c0b935807b092b65a8cb437bb1422909427aca283d9ef9341ea3ed614012

Download Submit
C:\Windows\SysWOW64\DES_LAN.gss.English.XML

Filesize
102KB

MD5
b4fd0cba2cb35bbcc0e3b634898d6121

SHA1
f0a9d6351174f98e6d296d8db16a9a4a0447274b

SHA256
918d56c467ef1479c2807ea259b96da55d148c475c6dc1151985adcff0602cd3

SHA512
a387c70581a47aadc2bba6ceba75d942f8d3a4f424f01268864c0cf372e32c5a207befc5417ce9592ff4ba52459ba74ec48f6821cb66b13b1735ec676e06d595

Download Submit
C:\Windows\SysWOW64\DES_LAN.gss.Japan.XML

Filesize
101KB

MD5
1a1350bf3ebc285593d8cbf08070849f

SHA1
8a78212ad4f512307e8fcb63cec5b3c978987697

SHA256
57edafd850a905ff7380ccfcb42482f23e2cd0ce230017093293c70728c9614b

SHA512
6e897a86137d587c7d4c81cd06407db9c13bb1f019840a42d2adf09095bd74807111837f1773fb21d9f8f315c7e27d9a388f1b115f757fae3acf6860fe29d471

Download Submit
C:\Windows\SysWOW64\DES_LAN.gss.SChinese.XML

Filesize
85KB

MD5
b778b5bae1cab77e3c45520f7a57300c

SHA1
167c0b015dd1dc7940bcc35c02bef132ee36aee6

SHA256
7149b659030f06c6561099380f3c2755c286ca5a58aead4bd0cb523de147ef83

SHA512
6fc68a35283a296bbdb5debf610e5839bffb7caf0ab90cd0c143933aafed679ee085fe32a674b9f917407b155a1dee8bd27014f4b75f61869e2df26c5885fc79

Download Submit
C:\Windows\SysWOW64\DES_LAN.gss.TChinese.XML

Filesize
85KB

MD5
dcb4f79f84fe1e9c4849f59cb0f62eb4

SHA1
d73d663d5517cd61b6c1ca9dd3afde700c894f33

SHA256
275154e9d38ab347434e8bf0c8bbc8d61c53b6cbd3c7aa928fd9fbb5288900a3

SHA512
a5eda0a32c2cefb1160197ce47ed7d31091bcb90a5a22eb6dc507cfe5c69bc687309d926660525e62829e3967def24cf72771351008529cc304d7e4b1675cf9d

Download Submit
C:\Windows\SysWOW64\DES_LAN.gss.inf

Filesize
60B

MD5
4e830d2fe4c13d40dcdcfd90167c57e9

SHA1
9b83dcda60582e3c4993d1bff5d9667d1f2718e5

SHA256
6f2379f4318e0a72ab7a8a94a2a16ac4106e6c0987427da41d0500319df7dc12

SHA512
86418cf2cd668f3c6ef93a1080895418841c616afc54b4bfd16d797462c7e7533baccfa9dd3870d5caf4913c8d8fc3fdd6de177748e62ddb643fd35e3e2a2b95

Download Submit
C:\Windows\SysWOW64\DES_Lan.gss

Filesize
131B

MD5
cb8c944b93bdcb339f69cd32e908b818

SHA1
c4e2bbb80192692a4027d05f04fcad18ac4b1644

SHA256
1bb2452c22d97c69f9b36151a7d1de804904c6c6e037645563a92f95be5b9653

SHA512
eae89c60dc4f41ad6a6b69fef72d3234c67dcaf9b2f1eba536254b1ca10c2e86a4a1a6ff3b12aeb4bce408538702e6c98aa6116ea250059027fc1e920e67e73d

Download Submit
C:\Windows\SysWOW64\DES_Lan.gss.inf

Filesize
60B

MD5
4e830d2fe4c13d40dcdcfd90167c57e9

SHA1
9b83dcda60582e3c4993d1bff5d9667d1f2718e5

SHA256
6f2379f4318e0a72ab7a8a94a2a16ac4106e6c0987427da41d0500319df7dc12

SHA512
86418cf2cd668f3c6ef93a1080895418841c616afc54b4bfd16d797462c7e7533baccfa9dd3870d5caf4913c8d8fc3fdd6de177748e62ddb643fd35e3e2a2b95

Download Submit
C:\Windows\SysWOW64\DesConfig.ini

Filesize
121B

MD5
38a48e7cae775b1f7204ef53258b54ae

SHA1
dc36a3bcf1b111cf313d26b6495a92445ce7618a

SHA256
0b4a54a2047652643d7b36ceef8916a9f10a268c04e01da17eb6ba9cffaf5d3f

SHA512
ea45e84db28c81ec0214f67fde59c8ea54cfbe816034c4197144c92ce9d600ff83aa5d794cc0300a84f02b35024fb1e9d3c7802d09fd9187491fb133d9ce0457

Download Submit
C:\Windows\SysWOW64\DesPdm.dll

Filesize
40KB

MD5
d0595bd3179fc15d8b060a66740ed9d3

SHA1
e345f4ce4870f5e15fdc34f46d8bfaf8ab3a6e58

SHA256
08bb70983da155809bd4f9cd23b4f684f1165a2980db8243f7b6f584c8be6c68

SHA512
a90d76ae3cf55c2ad818a945e5a57400422010920b7754034868ff4b9a8b6233d4157750e12b90bf0467c82a12fffee2c36b4cfbb881f47537bb7bf2ff0cb8a8

Download Submit
C:\Windows\SysWOW64\DesPdm.dll

Filesize
40KB

MD5
d0595bd3179fc15d8b060a66740ed9d3

SHA1
e345f4ce4870f5e15fdc34f46d8bfaf8ab3a6e58

SHA256
08bb70983da155809bd4f9cd23b4f684f1165a2980db8243f7b6f584c8be6c68

SHA512
a90d76ae3cf55c2ad818a945e5a57400422010920b7754034868ff4b9a8b6233d4157750e12b90bf0467c82a12fffee2c36b4cfbb881f47537bb7bf2ff0cb8a8

Download Submit
C:\Windows\SysWOW64\GDesServer.exe

Filesize
272KB

MD5
8c5a43215af69781aff444ce44b932f6

SHA1
902d9e0942a91b9780ec8185247957f6d46d05c9

SHA256
da750e3d246368496b3ae7da341c8a897dec52a73f3d36b8781e678c8f9dc829

SHA512
266b533682e2754cd3b9dea9e196513dfa3a7cf24265cb67e80c55670218b97d34d21bab53f70ae036585dd8a1f26e1b1868f8167def58f68934b13a3333dac6

Download Submit
C:\Windows\SysWOW64\GDesServer.exe

Filesize
272KB

MD5
8c5a43215af69781aff444ce44b932f6

SHA1
902d9e0942a91b9780ec8185247957f6d46d05c9

SHA256
da750e3d246368496b3ae7da341c8a897dec52a73f3d36b8781e678c8f9dc829

SHA512
266b533682e2754cd3b9dea9e196513dfa3a7cf24265cb67e80c55670218b97d34d21bab53f70ae036585dd8a1f26e1b1868f8167def58f68934b13a3333dac6

Download Submit
C:\Windows\SysWOW64\GSDES.lic

Filesize
814B

MD5
e0dfac6e9045b5ef0c0c7ebea9d1f9cb

SHA1
190ed673bf88878eaf109d795f6646728579d276

SHA256
58a44a93d886092c0fa7dfbc8762d04b674224b0690142f7430107791be4d117

SHA512
be1289738d59a344975e795bdc9c16f5d683bcf5ef414d9dc2109db19851a53a27bd1eaaa1580e675ab9f9f0c24bf50a552a84492ed44d5b6f12da8904f64161

Download Submit
C:\Windows\SysWOW64\HkApiini.ini

Filesize
889B

MD5
d3fdf4a695a45990872912cd9ffc4772

SHA1
01585620d952f1c391e36d7f255e34ae6dcce1a0

SHA256
b7686970309527398eb7c59cb5845d0ad3c6646f80ae53f039b17c28eda017d5

SHA512
0952fc6f3d3ddccafbd52acd6b6e2577d38584f9ae1e7839d7b34a2d0d6c8500924ae28bdf97b5f59bfca6f5a6646db9b68683908728449f7ad49ec484164704

Download Submit
C:\Windows\SysWOW64\HkApp.ini

Filesize
61B

MD5
4a8b30b8c32287596c83d7f4d3495aa2

SHA1
f9ff81a1f44fbfa36c765d576f8fd7847a68a65f

SHA256
fd67b5eae24db36dd1891094eda9e7d2ec845fe0162dbc1cdf82570b0f3d9185

SHA512
b2e692e20dd19e053eaa926ff431e3a565cb8b3a7132cf866ba3cd94e9dadac10e3a0d8dbe2e1ea54d8cc72b56b11b1687e348d9b9862ff55d68295d30fb9c79

Download Submit
C:\Windows\SysWOW64\HkInstall.dll

Filesize
92KB

MD5
e789692424b5acb1f6d98667f2e84049

SHA1
a9eb923154093369deacc5b04d50f6116724152b

SHA256
4dfad73c30995da503194e813a39d148e800847210d4e0067aeae4cd79300dc7

SHA512
55ce44b23636d0f6b52991faffa75f791faaa0875390b5e396f12fe2ef0b32b87fd1bca64730e43f95f8fcb0e3ef8cf5279c33f8d8a7895ecda7d00f61b9339b

Download Submit
C:\Windows\SysWOW64\HkInstall.dll

Filesize
92KB

MD5
e789692424b5acb1f6d98667f2e84049

SHA1
a9eb923154093369deacc5b04d50f6116724152b

SHA256
4dfad73c30995da503194e813a39d148e800847210d4e0067aeae4cd79300dc7

SHA512
55ce44b23636d0f6b52991faffa75f791faaa0875390b5e396f12fe2ef0b32b87fd1bca64730e43f95f8fcb0e3ef8cf5279c33f8d8a7895ecda7d00f61b9339b

Download Submit
C:\Windows\SysWOW64\HkInstall.dll

Filesize
92KB

MD5
e789692424b5acb1f6d98667f2e84049

SHA1
a9eb923154093369deacc5b04d50f6116724152b

SHA256
4dfad73c30995da503194e813a39d148e800847210d4e0067aeae4cd79300dc7

SHA512
55ce44b23636d0f6b52991faffa75f791faaa0875390b5e396f12fe2ef0b32b87fd1bca64730e43f95f8fcb0e3ef8cf5279c33f8d8a7895ecda7d00f61b9339b

Download Submit
C:\Windows\SysWOW64\HkSys.bak

Filesize
32KB

MD5
838dfafad9dfb6c90db35f3eab0945bb

SHA1
f67a3270da652035a3f25c0619b1eb4077357541

SHA256
c8d5a8e49b42dc9608ef8286425abeb2ff2b8147aee8d1f4fbcf901d7a464b05

SHA512
dda18e90553ba8992b6b89bc6cc15307fda004543ffdd804279a8f3dd3da203c9e301d8cd98d4ed2755d7b8d3789e5e5a9f51ef654914d6c43e99b523eef03d7

Download Submit
C:\Windows\SysWOW64\HkSys.cpy

Filesize
32KB

MD5
838dfafad9dfb6c90db35f3eab0945bb

SHA1
f67a3270da652035a3f25c0619b1eb4077357541

SHA256
c8d5a8e49b42dc9608ef8286425abeb2ff2b8147aee8d1f4fbcf901d7a464b05

SHA512
dda18e90553ba8992b6b89bc6cc15307fda004543ffdd804279a8f3dd3da203c9e301d8cd98d4ed2755d7b8d3789e5e5a9f51ef654914d6c43e99b523eef03d7

Download Submit
C:\Windows\SysWOW64\MFC71.DLL

Filesize
1.0MB

MD5
f35a584e947a5b401feb0fe01db4a0d7

SHA1
664dc99e78261a43d876311931694b6ef87cc8b9

SHA256
4da5efdc46d126b45daeee8bc69c0ba2aa243589046b7dfd12a7e21b9bee6a32

SHA512
b1ced222c3b7e63e22d093c8aa3467f5ea20312fe76a112baed7c63d238bbe8dee94dfe8f42474f7b1de7aa7acb8ba8e2b36fdd0a3cda83ee85ac9a34f859fa4

Download Submit
C:\Windows\SysWOW64\MFC71.dll

Filesize
1.0MB

MD5
f35a584e947a5b401feb0fe01db4a0d7

SHA1
664dc99e78261a43d876311931694b6ef87cc8b9

SHA256
4da5efdc46d126b45daeee8bc69c0ba2aa243589046b7dfd12a7e21b9bee6a32

SHA512
b1ced222c3b7e63e22d093c8aa3467f5ea20312fe76a112baed7c63d238bbe8dee94dfe8f42474f7b1de7aa7acb8ba8e2b36fdd0a3cda83ee85ac9a34f859fa4

Download Submit
C:\Windows\SysWOW64\MSVCR71.dll

Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
C:\Windows\SysWOW64\MessageDispose.dll

Filesize
644KB

MD5
065a42021f9b517557488365ee5817e0

SHA1
729f871f23b0e49175116a89c3c3f7619ca2083d

SHA256
66adabc3267ce9350aba2c2966e41b3b36ed676ae709dffe828be3555552a3b5

SHA512
5cde7f22b27c7f5fc9a4bf5e73359f9663214904516da5c5e9e87bb3e437d435802c6bd3f2d552f0726fe0dd4bdfd99c96617a3c6b8d6dec21e9997143cfc862

Download Submit
C:\Windows\SysWOW64\MessageDispose.dll

Filesize
644KB

MD5
065a42021f9b517557488365ee5817e0

SHA1
729f871f23b0e49175116a89c3c3f7619ca2083d

SHA256
66adabc3267ce9350aba2c2966e41b3b36ed676ae709dffe828be3555552a3b5

SHA512
5cde7f22b27c7f5fc9a4bf5e73359f9663214904516da5c5e9e87bb3e437d435802c6bd3f2d552f0726fe0dd4bdfd99c96617a3c6b8d6dec21e9997143cfc862

Download Submit
C:\Windows\SysWOW64\MessageDispose.dll

Filesize
644KB

MD5
065a42021f9b517557488365ee5817e0

SHA1
729f871f23b0e49175116a89c3c3f7619ca2083d

SHA256
66adabc3267ce9350aba2c2966e41b3b36ed676ae709dffe828be3555552a3b5

SHA512
5cde7f22b27c7f5fc9a4bf5e73359f9663214904516da5c5e9e87bb3e437d435802c6bd3f2d552f0726fe0dd4bdfd99c96617a3c6b8d6dec21e9997143cfc862

Download Submit
C:\Windows\SysWOW64\PDMClient.dll

Filesize
132KB

MD5
1f33193c40c37936e9bf679d461ae7ef

SHA1
1bb634b3df9ab29c689972abb9b76c9e59ebd469

SHA256
41a7919a5cc1b390e03577472aa1b7c2b89f5a1866e3152fd87586fb028a8cca

SHA512
ec4cb826f577862b43d8866ac26f50b0153cb954e4b89dfda9320331184a5e436702b6b4b1ea7263243743d53b0eef3148ac86e57e25df54e03a515369d25f40

Download Submit
C:\Windows\SysWOW64\PDMClient.dll

Filesize
132KB

MD5
1f33193c40c37936e9bf679d461ae7ef

SHA1
1bb634b3df9ab29c689972abb9b76c9e59ebd469

SHA256
41a7919a5cc1b390e03577472aa1b7c2b89f5a1866e3152fd87586fb028a8cca

SHA512
ec4cb826f577862b43d8866ac26f50b0153cb954e4b89dfda9320331184a5e436702b6b4b1ea7263243743d53b0eef3148ac86e57e25df54e03a515369d25f40

Download Submit
C:\Windows\SysWOW64\PDMClient.gss

Filesize
160B

MD5
76844c1af9fe129a036c83e20d84d682

SHA1
62f9c76c3c1c697b20276334888e5bc811a5011e

SHA256
dd6fb3f3ab931f051956a58b7c25747a91db9491129752429dcd00cfbdce3b2a

SHA512
2b1408a379373990f636ecbe84c8ae85d412b45502e694445df11fce3ec01ca80d5217641a2d437a560ccaad41e6a85ef3569b500522f94a82fdd0bb7a14b810

Download Submit
C:\Windows\SysWOW64\PDMClient.gss.English.XML

Filesize
770B

MD5
9bac85b4a45027c82c137363ba58d366

SHA1
5cf641ac8e82eacfb7ae064418117bcd1448a4e6

SHA256
b567043d177c810004f635cf73913bdc6cf1ed86b916792e840edfbff3bad8f0

SHA512
5f228a7d5a79b48c5740cdd0804742a7a92aaf31a209faf7749ecd12522641a1e325a686a13e31697637c17755e90bdc3a44c268fce9d2f6e4985d3e00950ff1

Download Submit
C:\Windows\SysWOW64\PDMClient.gss.SChinese.XML

Filesize
698B

MD5
95d5d162e7bcca4dd85c7b80805520d3

SHA1
438b50e2292aa5a1131471cd5594773cc9406a3c

SHA256
653a2c3168dc288164274da4dd6d020c50bb6188fa941b0dbd1d24f458ce132a

SHA512
77dfd931a02915ce7b3d32cf5acfc14fb64d7b7ab26f42ab254e0802de5179828bb50b04c22afa40e51898ef17e7e9b298e4f3def417158f9f6ed5a34e2c13d2

Download Submit
C:\Windows\SysWOW64\PDMClient.gss.TChinese.XML

Filesize
702B

MD5
802e707048898ca4cf0480f094a8c410

SHA1
8eec25b234fb2a1365da6638dbb596500a66b4dd

SHA256
bcbb37e03d4e5204eb068b928ac25b864513f010b083099c1ca28098bdd81392

SHA512
5273f3b619d0b01dcd3e59fae9ac9225208d334b2fe1da789c3073ff6e7891b314633895e51259b11c1c7cc56c01004b0e8fe4f960105494d75ca464305c9b73

Download Submit
C:\Windows\SysWOW64\SocketDll.dll

Filesize
587KB

MD5
115a8a720e284cfd72d0cc1e89ed745f

SHA1
080f3bd2e51b0e8c9ec9495cea6663130e911656

SHA256
5a79161b3d7dc431acb89895991e11e0aa092550cf7b2924bd45c4b75b572c60

SHA512
b2f2a0daa0d2822c3f3b11112ce6fbedac6a248e9d4576dc0617fb25039a345e0552adeae7787d49684ff69e514f2c60bd03fa0762e769206adc558d62227daf

Download Submit
C:\Windows\SysWOW64\SocketDll.dll

Filesize
587KB

MD5
115a8a720e284cfd72d0cc1e89ed745f

SHA1
080f3bd2e51b0e8c9ec9495cea6663130e911656

SHA256
5a79161b3d7dc431acb89895991e11e0aa092550cf7b2924bd45c4b75b572c60

SHA512
b2f2a0daa0d2822c3f3b11112ce6fbedac6a248e9d4576dc0617fb25039a345e0552adeae7787d49684ff69e514f2c60bd03fa0762e769206adc558d62227daf

Download Submit
C:\Windows\SysWOW64\SocketDll.dll

Filesize
587KB

MD5
115a8a720e284cfd72d0cc1e89ed745f

SHA1
080f3bd2e51b0e8c9ec9495cea6663130e911656

SHA256
5a79161b3d7dc431acb89895991e11e0aa092550cf7b2924bd45c4b75b572c60

SHA512
b2f2a0daa0d2822c3f3b11112ce6fbedac6a248e9d4576dc0617fb25039a345e0552adeae7787d49684ff69e514f2c60bd03fa0762e769206adc558d62227daf

Download Submit
C:\Windows\SysWOW64\config\systemprofile\Temp\HkApiini.ini

Filesize
889B

MD5
e2ee659a13542cae1aa444cf44100c10

SHA1
d32576a4c27ebdf8a61b50a5a146d9419a4daaed

SHA256
228e00f641994403d3f890725b106e3f89933dbb90911bdaefc0e9ad12a80d5f

SHA512
4d49dddfe651fbd6ad24e66f483a6398ae3c1f0cb35b1e4693dd93f98e43952533500b19bcb67f00ba9561c03a73b5ea3cae3c44ff13ec6605095aaa1fb86589

Download Submit
C:\Windows\SysWOW64\config\systemprofile\Temp\HkApp.ini

Filesize
61B

MD5
f855ac45d227edbd3eafe2fc4ab555ea

SHA1
0181ff71ac9fdc6fb1c05530aeafd65b4fce0f45

SHA256
caa45a5696d539c6fcf6782819ecd3b365cbe554db70430dc30641fa522f3099

SHA512
3e4b8954480d99dc7fbbf491721fa4202d19a2673f602fc895bef42e985e119823105bd7f97256d59d2c744506a5088ae25a1d37ef8eafe8217a1b245d1abba0

Download Submit
C:\Windows\SysWOW64\licdat

Filesize
512B

MD5
bf619eac0cdf3f68d496ea9344137e8b

SHA1
5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5

SHA256
076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560

SHA512
df40d4a774e0b453a5b87c00d6f0ef5d753143454e88ee5f7b607134598294c7905ccbcf94bbc46e474db6eb44e56a6dbb6d9a1be9d4fb5d1b5f2d0c6ed34bfe

Download Submit
C:\Windows\SysWOW64\licdata

Filesize
160B

MD5
f5526d9d6d7f4e8058a643d9d0b29a19

SHA1
c4f35a46bdf54e9098a92eb8a96f2e42142cadc2

SHA256
72bab480b23d18a509f10dcfc032ff67281a5b68692d6620a147801700808e5c

SHA512
ccc4689106ddced22abc50b0fca90b58cdaacf2e2232fda63f61382bf736882f2ca2d90325ba1411fdbc6165a0b5ad02d95a637ef3c28d0354e35aba902e8a2c

Download Submit
C:\Windows\SysWOW64\msvcr71.dll

Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
C:\Windows\SysWOW64\msvcr71.dll

Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
memory/3640-207-0x0000000001D60000-0x0000000001E00000-memory.dmp

Filesize
640KB

Download
memory/3640-148-0x0000000001040000-0x00000000010EE000-memory.dmp

Filesize
696KB

Download
memory/3640-226-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download