ab5d85d552e5cb1c5dae5a05da0a292b20966d1939e5ff90fda7adda2c5f2b4f

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2024, 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-10_0cded5aac4df0591c6d46646fe5871a9_icedid.exe
Size

4.0MB
MD5

0cded5aac4df0591c6d46646fe5871a9
SHA1

8de20cdaa14652187778096f1379c2f299fc3444
SHA256

ab5d85d552e5cb1c5dae5a05da0a292b20966d1939e5ff90fda7adda2c5f2b4f
SHA512

e958cf89143bdbf044f298a2a4278b8ad1581ed818647ec592b2eaa14c64cf6987dc7e94f7f9cf261b26e71089a0e3f21561c0115aed5245a0b1dce8854a1e3b
SSDEEP

98304:PyAOZqRn3fmR8hPK9AKaVVXgOsicL1ib4XWk9otXGjylW:PVCqR3fmR8hJZb+ibcWgNmlW

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4868	DXSETUP.exe
1900	Installer.exe

Loads dropped DLL 37 IoCs

pid	Process
4868	DXSETUP.exe
4868	DXSETUP.exe
4868	DXSETUP.exe
4868	DXSETUP.exe
4868	DXSETUP.exe
1900	Installer.exe
1900	Installer.exe
1900	Installer.exe
1900	Installer.exe
1900	Installer.exe
1900	Installer.exe
1900	Installer.exe
1900	Installer.exe
1900	Installer.exe
1900	Installer.exe
1900	Installer.exe
1900	Installer.exe
1900	Installer.exe
1900	Installer.exe
1900	Installer.exe
1900	Installer.exe
1900	Installer.exe
1900	Installer.exe
1900	Installer.exe
1900	Installer.exe
1900	Installer.exe
1900	Installer.exe
1900	Installer.exe
1900	Installer.exe
1900	Installer.exe
1900	Installer.exe
1900	Installer.exe
1900	Installer.exe
1900	Installer.exe
1900	Installer.exe
1900	Installer.exe
1900	Installer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\xinput1_3.dll	DXSETUP.exe
File opened for modification	C:\Windows\SysWOW64\SETC39E.tmp	DXSETUP.exe
File opened for modification	C:\Windows\SysWOW64\XAPOFX1_5.dll	DXSETUP.exe
File created	C:\Windows\SysWOW64\SETC2D3.tmp	DXSETUP.exe
File opened for modification	C:\Windows\SysWOW64\SETC340.tmp	DXSETUP.exe
File created	C:\Windows\SysWOW64\SETC340.tmp	DXSETUP.exe
File created	C:\Windows\SysWOW64\SETC39E.tmp	DXSETUP.exe
File opened for modification	C:\Windows\SysWOW64\D3DCompiler_43.dll	DXSETUP.exe
File opened for modification	C:\Windows\SysWOW64\XAudio2_7.dll	DXSETUP.exe
File opened for modification	C:\Windows\SysWOW64\SETC2D3.tmp	DXSETUP.exe
File opened for modification	C:\Windows\SysWOW64\SETC44B.tmp	DXSETUP.exe
File opened for modification	C:\Windows\SysWOW64\D3DX9_43.dll	DXSETUP.exe
File opened for modification	C:\Windows\SysWOW64\SETC44A.tmp	DXSETUP.exe
File created	C:\Windows\SysWOW64\SETC44A.tmp	DXSETUP.exe
File created	C:\Windows\SysWOW64\SETC44B.tmp	DXSETUP.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DirectX.log	DXSETUP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-10_0cded5aac4df0591c6d46646fe5871a9_icedid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DXSETUP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a47b29fbd6f9c3720000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a47b29fb0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a47b29fb000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da47b29fb000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a47b29fb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies registry class 38 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\ = "AudioReverb"	DXSETUP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\InProcServer32\ = "C:\\Windows\\SysWow64\\XAudio2_7.dll"	DXSETUP.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Software\Microsoft	Installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Assemblies	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components	Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}	DXSETUP.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Visibility	Installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\StateStore_RandomString = "39JJT3CCV9QRGBB00OJ6O7NE"	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families	Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\ = "XAudio2"	DXSETUP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\InProcServer32	DXSETUP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\InProcServer32\ThreadingModel = "Both"	DXSETUP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\InProcServer32	DXSETUP.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\ClickOnce35SP1Update	Installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\ComponentStore_RandomString = "Y93040N3XO9MWAXL75RKD71E"	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Installations	Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\InProcServer32\ = "C:\\Windows\\SysWow64\\XAudio2_7.dll"	DXSETUP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\InProcServer32	DXSETUP.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Software\Microsoft\Windows\CurrentVersion	Installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\ClickOnce35SP1Update\Action = "No cleanup required"	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications	Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\ = "AudioVolumeMeter"	DXSETUP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\InProcServer32\ThreadingModel = "Both"	DXSETUP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\InProcServer32\ThreadingModel = "Both"	DXSETUP.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Software	Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}	DXSETUP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\InProcServer32\ = "C:\\Windows\\SysWow64\\XAudio2_7.dll"	DXSETUP.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0	Installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\ComponentStore_RandomString = "WAKXRCLH5TT26QL0N5E1QVD4"	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\VisibilityRoots	Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}	DXSETUP.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Software\Microsoft\Windows	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Categories	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager	Installer.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Installer.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeBackupPrivilege	1492	vssvc.exe
Token: SeRestorePrivilege	1492	vssvc.exe
Token: SeAuditPrivilege	1492	vssvc.exe
Token: SeBackupPrivilege	4208	srtasks.exe
Token: SeRestorePrivilege	4208	srtasks.exe
Token: SeSecurityPrivilege	4208	srtasks.exe
Token: SeTakeOwnershipPrivilege	4208	srtasks.exe
Token: SeBackupPrivilege	4208	srtasks.exe
Token: SeRestorePrivilege	4208	srtasks.exe
Token: SeSecurityPrivilege	4208	srtasks.exe
Token: SeTakeOwnershipPrivilege	4208	srtasks.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2032	2024-10-10_0cded5aac4df0591c6d46646fe5871a9_icedid.exe
2032	2024-10-10_0cded5aac4df0591c6d46646fe5871a9_icedid.exe
2032	2024-10-10_0cded5aac4df0591c6d46646fe5871a9_icedid.exe
2032	2024-10-10_0cded5aac4df0591c6d46646fe5871a9_icedid.exe
2032	2024-10-10_0cded5aac4df0591c6d46646fe5871a9_icedid.exe
2032	2024-10-10_0cded5aac4df0591c6d46646fe5871a9_icedid.exe
2032	2024-10-10_0cded5aac4df0591c6d46646fe5871a9_icedid.exe
2032	2024-10-10_0cded5aac4df0591c6d46646fe5871a9_icedid.exe
2032	2024-10-10_0cded5aac4df0591c6d46646fe5871a9_icedid.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 4868	2032	2024-10-10_0cded5aac4df0591c6d46646fe5871a9_icedid.exe	86
PID 2032 wrote to memory of 4868	2032	2024-10-10_0cded5aac4df0591c6d46646fe5871a9_icedid.exe	86
PID 2032 wrote to memory of 4868	2032	2024-10-10_0cded5aac4df0591c6d46646fe5871a9_icedid.exe	86
PID 2032 wrote to memory of 1900	2032	2024-10-10_0cded5aac4df0591c6d46646fe5871a9_icedid.exe	96
PID 2032 wrote to memory of 1900	2032	2024-10-10_0cded5aac4df0591c6d46646fe5871a9_icedid.exe	96
PID 2032 wrote to memory of 1900	2032	2024-10-10_0cded5aac4df0591c6d46646fe5871a9_icedid.exe	96

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-10-10_0cded5aac4df0591c6d46646fe5871a9_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-10_0cded5aac4df0591c6d46646fe5871a9_icedid.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\{716F3C9A-53E0-4F73-97D8-9F91F4F1F47A}\DXRedist\DXSETUP.exe
  C:\Users\Admin\AppData\Local\Temp\{716F3C9A-53E0-4F73-97D8-9F91F4F1F47A}\DXRedist\DXSETUP.exe /silent
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:4868
- C:\Users\Admin\AppData\Local\Temp\{716F3C9A-53E0-4F73-97D8-9F91F4F1F47A}\InstallLauncher\Installer.exe
  C:\Users\Admin\AppData\Local\Temp\{716F3C9A-53E0-4F73-97D8-9F91F4F1F47A}\InstallLauncher\Installer.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Modifies system certificate store
  PID:1900

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
1⤵
PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DXBFB6.tmp\D3DCompiler_43.dll

Filesize
2.0MB

MD5
1c9b45e87528b8bb8cfa884ea0099a85

SHA1
98be17e1d324790a5b206e1ea1cc4e64fbe21240

SHA256
2f23182ec6f4889397ac4bf03d62536136c5bdba825c7d2c4ef08c827f3a8a1c

SHA512
b76d780810e8617b80331b4ad56e9c753652af2e55b66795f7a7d67d6afcec5ef00d120d9b2c64126309076d8169239a721ae8b34784b639b3a3e2bf50d6ee34

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBFB6.tmp\JUN2010_D3DCompiler_43_x86.inf

Filesize
1KB

MD5
1a86443fc4e07e0945904da7efe2149d

SHA1
37a6627dbf3b43aca104eb55f9f37e14947838ce

SHA256
5dd568919e1b3cbcb23ab21d0f2d6c1a065070848aba5d2a896da39e55c6cbbf

SHA512
c9faa6bb9485b1a0f8356df42c1efe1711a77efa566eee3eb0c8031ece10ffa045d35adb63e5e8b2f79f26bf3596c54c0bd23fea1642faae11baf2e97b73cf5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBFB6.tmp\JUN2010_XAudio_x86.inf

Filesize
1KB

MD5
31d8732ac2f0a5c053b279adc025619f

SHA1
c8d6d2e88b13581b6638002e6f7f0c3a165fff3c

SHA256
d786d06a709d5dc26067132b9735fc317763fcf8064442d6f77f65012ba179da

SHA512
abc37922307f081a1ffdc956ce59598c19ad1939ecfb6ea3280aa6aa7a99c3eba5462731586ca262f7d7257d7d2a74ff57a45abf6b93521eb6f1c9f22f8eb244

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBFB6.tmp\JUN2010_d3dx9_43_x86.inf

Filesize
1KB

MD5
a11deb327119b65bacce49735edc4605

SHA1
0be2d7fa6254b138aa53d9146cda8fedbba93764

SHA256
6b33d32da02f664092d44b05237990f825b4062c105a063badcf978648b5e95b

SHA512
b0134a3d6f2d576e5fafb601014ab66fef91d661013acc8a7a9129940369a1d9ed5c0f228bb1666a4e891f09b4b18e83f0cb2080047aa84fa45ab663e5739a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBFB6.tmp\XAPOFX1_5.dll

Filesize
72KB

MD5
8a4cebf34370d689e198e6673c1f2c40

SHA1
b7e3d60f62d8655a68e2faf26c0c04394c214f20

SHA256
becfdcd6b16523573cb52df87aa7d993f1b345ba903d0618c3b36535c3800197

SHA512
d612e2d8a164408ab2d6b962f1b6d3531aed8a0b1aba73291fa5155a6022d078b353512fb3f6fff97ee369918b1802a6103b31316b03db4fa3010b1bf31f35fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBFB6.tmp\XAudio2_7.dll

Filesize
514KB

MD5
81dfddfb401d663ba7e6ad1c80364216

SHA1
c32d682767df128cd8e819cb5571ed89ab734961

SHA256
d1690b602cb317f7f1e1e13e3fc5819ad8b5b38a92d812078afb1b408ccc4b69

SHA512
7267db764f23ad67e9f171cf07ff919c70681f3bf365331ae29d979164392c6bc6723441b04b98ab99c7724274b270557e75b814fb12c421188fb164b8ca837c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBFB6.tmp\apr2007_xinput_x86.inf

Filesize
1KB

MD5
e188f534500688cec2e894d3533997b4

SHA1
f073f8515b94cb23b703ab5cdb3a5cfcc10b3333

SHA256
1c798cb80e9e46ce03356ea7316e1eff5d3a88ccdd7cbfbfcdce73cded23b4e5

SHA512
332ccb25c5ed92ae48c5805a330534d985d6b41f9220af0844d407b2019396fcefea7076b409439f5ab8a9ca6819b65c07ada7bd3aa1222429966dc5a440d4f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBFB6.tmp\d3dx9_43.dll

Filesize
1.9MB

MD5
86e39e9161c3d930d93822f1563c280d

SHA1
f5944df4142983714a6d9955e6e393d9876c1e11

SHA256
0b28546be22c71834501f7d7185ede5d79742457331c7ee09efc14490dd64f5f

SHA512
0a3e311c4fd5c2194a8807469e47156af35502e10aeb8a3f64a01ff802cd8669c7e668cc87b593b182fd830a126d002b5d5d7b6c77991158bffdb0b5b997f6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBFB6.tmp\dxdllreg_x86.inf

Filesize
724B

MD5
8272579b6d88f2ee435aeea19ec7603d

SHA1
6d141721b4b3a50612b4068670d9d10c1a08b4ac

SHA256
54e098294ef0ad3b14b9c77642838b5992fe4573099d8397a1ef566d9e36da40

SHA512
9f1311803db1607e079b037f49d8643daa43b59ce6eafb173b18d5a40239a5515091c92b244ffe9cfef2da20530fb15deb6cf5937633b434c3262e765d5a3b21

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBFB6.tmp\dxupdate.dll

Filesize
168KB

MD5
94202f25810812f72953938552255fb8

SHA1
c1e88f196935d8affc1783ccf8b8954d7f2bfb62

SHA256
6dcad858cc3ff78d58c1dae5e93caf7d8bacb4f2fcf9e71bccb250bf32c7f564

SHA512
65b66d07ef68e0d1e79f236a4800c857e991ee3ff80ece4cfdd0b5f6083ea16f8a52d351c3af721cb05c06394ec91b4b5e3cfa4b0f0879f7549f3e3ed035e79e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBFB6.tmp\dxupdate.inf

Filesize
12KB

MD5
e6a74342f328afa559d5b0544e113571

SHA1
a08b053dfd061391942d359c70f9dd406a968b7d

SHA256
93f5589499ee4ee2812d73c0d8feacbbcfe8c47b6d98572486bc0eff3c5906ca

SHA512
1e35e5bdff1d551da6c1220a1a228c657a56a70dedf5be2d9273fc540f9c9f0bb73469595309ea1ff561be7480ee92d16f7acbbd597136f4fc5f9b8b65ecdfad

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXBFB6.tmp\xinput1_3.dll

Filesize
79KB

MD5
77f595dee5ffacea72b135b1fce1312e

SHA1
d2a710b332de3ef7a576e0aed27b0ae66892b7e9

SHA256
8d540d484ea41e374fd0107d55d253f87ded4ce780d515d8fd59bbe8c98970a7

SHA512
a8683050d7758c248052c11ac6a46c9a0b3b3773902cca478c1961b6d9d2d57c75a8c925ba5af4499989c0f44b34eaf57abafafa26506c31e5e4769fb3439746

Download Submit
C:\Users\Admin\AppData\Local\Temp\{716F3C9A-53E0-4F73-97D8-9F91F4F1F47A}\DXRedist\APR2007_xinput_x86.cab

Filesize
52KB

MD5
c234df417c9b12e2d31c7fd1e17e4786

SHA1
92f32e74944e5166db72d3bfe8e6401d9f7521dd

SHA256
2acea6c8b9f6f7f89ec51365a1e49fbd0d8c42c53418bd0783dbf3f74a744e6d

SHA512
6cbae19794533ad9401f92b10bd9549638ba20ce38375de4f9d0e20af20d78819e46856151cc6818325af9ac774b8128e18fbebd2da5da4efbd417fc2af51dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\{716F3C9A-53E0-4F73-97D8-9F91F4F1F47A}\DXRedist\DSETUP32.DLL

Filesize
1.7MB

MD5
0f58ccd58a29827b5d406874360e4c08

SHA1
ba804292580be6186774e7f92e6dfb104e46bf25

SHA256
642d9e7db6d4fc15129f011dce2ea087bf7f7fb015aececf82bf84ff6634a6fb

SHA512
3e3d4f2de5dc5addc86765a2f888487ea0c9ee0208fac60187ddaa9a2bfd73cfd7734836d32805fa43222470c8f6cb9a10e2a099aef72c67ad7c789096e57ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{716F3C9A-53E0-4F73-97D8-9F91F4F1F47A}\DXRedist\DXSETUP.exe

Filesize
524KB

MD5
ddce338bb173b32024679d61fb4f2ba6

SHA1
50e51f7c8802559dd9787b0aebc85f192b7e2563

SHA256
046041aba6ba77534c36bb0c2496408d23c6a09f930c46b392f1edc70dfd66de

SHA512
7a63925278332c8e7949555383b410d8848a7834b85f34d659e351ba78cbe4d2ec09caccb2178d801b9b68725c9cbae48a6a1f07f0804a0c41eb51df79b7eca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{716F3C9A-53E0-4F73-97D8-9F91F4F1F47A}\DXRedist\dsetup.dll

Filesize
87KB

MD5
9e0711bed229b60a853bcc5d10deaafc

SHA1
2bea53988bd35c5df5c9edcef0bc234c37289477

SHA256
def6f245762be36cf18b435ba8b7ebc224b9c21d1a1db606a8e8fafdaa97bba0

SHA512
c0b31872e52c8f4270d991c70d1a1c9ef9a4bbee4807c54c05a449cd1607506ab16ff1e74b378651b36e3276322c86cd843565c8a1aa33a49c47322ef4df0185

Download Submit
C:\Users\Admin\AppData\Local\Temp\{716F3C9A-53E0-4F73-97D8-9F91F4F1F47A}\InstallLauncher\ICSharpCode.SharpZipLib.dll

Filesize
197KB

MD5
c0f949d99c5f4eb25c2f70a7f1e7c9d1

SHA1
87400242cd5e57404b4c76f725165c55dc9f4a25

SHA256
d6645d9c348dd5cd24bba8ac82b55ef2f9f1ee583f3a100510e95a2d59a8ad4a

SHA512
dd78734143bf9deebe4f664ddae1ccca0837c2a410cb858b739dd8f7141d346cacb544d801333600b95fffe41088d34913f03f0c5ead618767a1083705326a95

Download Submit
C:\Users\Admin\AppData\Local\Temp\{716F3C9A-53E0-4F73-97D8-9F91F4F1F47A}\InstallLauncher\Installer.exe

Filesize
355KB

MD5
7826681e8a5f99526fb6cfcfc8caf401

SHA1
06cea72789ce112b741ea6958c076e2e858996ad

SHA256
966d971d4b3afd0ee627a3987b3e035402ba164fd0f73f7f816b5c8a598ff8cf

SHA512
a69f9453ebc091511d44fc6d10475c35f44b203b98767fb8790b2b93398cbbf374cc31442880442dd3ec876e9cb6cb389a6fbd227674836d7750004be8cf9035

Download Submit
C:\Users\Admin\AppData\Local\Temp\{716F3C9A-53E0-4F73-97D8-9F91F4F1F47A}\InstallLauncher\LauncherMetrics.dll

Filesize
30KB

MD5
23a155256f212314f3d8d27ffa19ae9e

SHA1
b2a81d226cd754a2b39227cc16c7f2eab686277a

SHA256
ebac88884237a70d3b1dfdf4e6c65a71120b59f099ea952e2076ea30dff3adc7

SHA512
881056ed35943561374f86c0296c8bc48529510f869a21b1c5144d29313f5459e87e0eac42b04390cb6d292b2097074fce5ac107b19b67befceca55ba14d7627

Download Submit
C:\Users\Admin\AppData\Local\Temp\{716F3C9A-53E0-4F73-97D8-9F91F4F1F47A}\InstallLauncher\Mono.Nat.dll

Filesize
46KB

MD5
e301977563d1c1e46d34034f706f859b

SHA1
501299b6c5f081114cbcfd56a8b67d01a0bbfceb

SHA256
d2a32038d328a5b805335a0978d7acacd6ea1cb98c05bf02b55411cfb536b13f

SHA512
99f0efba8b766f0a74915471314a5576f7aeea52251402e7954cce6dc227e07e17fa4570b0981724805c3bc48c9c5f1e7ae26b6331c51f8baf6e9c43b99ebab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{716F3C9A-53E0-4F73-97D8-9F91F4F1F47A}\InstallLauncher\MonoTorrent.dll

Filesize
361KB

MD5
9b15eedaab01bdaefb515739d2d3316d

SHA1
80a175ebe3fd5f573c898ae7cace4a23dbd1c4eb

SHA256
67e65402cdb720d2061b1ea19bdcacb17bbc32869fa19c3edee818e5358f91c6

SHA512
88024b32a5a75c68bc90a5be30d7c8e01b8615f0d52f09407f258c5654b34f5b6385cd99a3050f9b33e846088cfb3f52cacc1c03b8786ab54d2125dfa9722d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{716F3C9A-53E0-4F73-97D8-9F91F4F1F47A}\InstallLauncher\Ubisoft.Localization.dll

Filesize
14KB

MD5
ff9154ee3b9a580daf535b086167a477

SHA1
5127cf9f5d1972b5bc8718286c510f5e57f40140

SHA256
0dfe0361997a5c29af42067894295a947abe3e3dc0e0f36b44eaee808dae9f07

SHA512
31621b79a5740a64e45bdb08fb34ba6937774774d9c0cdb4a70d2e63064e927ff8ac7c3d3fcf4a71181391482a27a5733eb248872c514ded9416ffc67c56f293

Download Submit
C:\Users\Admin\AppData\Local\Temp\{716F3C9A-53E0-4F73-97D8-9F91F4F1F47A}\InstallLauncher\Ubisoft.Update.dll

Filesize
165KB

MD5
9cc8e67c5675b3a13bf9dd01662b5ec0

SHA1
44f0f8fa9e73e3bfdcf01a4944037f04b9f8f2fd

SHA256
c3dc6e3c8a431df27be9476e59b2a99d23335244ff71129c1f9e092035b2e867

SHA512
8f3d360a436f9b84109cd0c7f5d36b213a9546fed9447c187bec6ef03ed468caeac47c0fb61568b5be04464b4df3ce8c682961d1710117076af2247d9c275ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{716F3C9A-53E0-4F73-97D8-9F91F4F1F47A}\InstallLauncher\Ubisoft.Utils.dll

Filesize
101KB

MD5
b449cac85be3b14a90d11dbe5765b7d2

SHA1
c5dc43ce008d508494da031e54ee80d2d47e5053

SHA256
507698c9ce5f3a37a30166c9b0ca423f502a83b70f56d36d761a810b6b2dbd49

SHA512
f6a6f7ea0b369612a291837bd47ac01ded7e7f1c1aa0aee87bc3cc1637754492e65cdc372c8d751a119cedb6bf2e1469b243861a00b5ff9dde2bbe6ff0e2f329

Download Submit
C:\Users\Admin\AppData\Local\Temp\{716F3C9A-53E0-4F73-97D8-9F91F4F1F47A}\InstallLauncher\UpdateContracts.dll

Filesize
19KB

MD5
bcc474be10a59e66a7a6d64217f21800

SHA1
955470abee31fc8234d5bcea1d03bee9f4725a1f

SHA256
c401f22e7b609eb92bae8e1bbf178b553ca2e9cb4fdf5334ccc49c1ef328cca1

SHA512
81655613f957356acf47960b2926d24c55419ce188d86e7c443a28d54a06debd7f33381f0184c7d1d8e158ca855f2c664a5a3e152ff53cbea593c69e070453ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\{716F3C9A-53E0-4F73-97D8-9F91F4F1F47A}\InstallLauncher\config.ini

Filesize
268B

MD5
c711848b6c1fa9bb299880f67fdd6e1d

SHA1
e5ac85e8a70b759e3de9ca8779d00cd862176ac4

SHA256
144d346caabee5608517d1177a1a56e5fbaff535ee3026bbc4e83a6071cf9896

SHA512
2e043511602107ccecc13f43496de15cf8dcd96e0c20c7d45b4a0c0b5bef0414e1a591db8375850f5db61df53edae4670641bcb5a65358759983f68ae25d2ffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{716F3~1\DXRedist\Jun2010_D3DCompiler_43_x86.cab

Filesize
909KB

MD5
f7f554aa613eccf065575b8c69717ef7

SHA1
8417886d47c19cf6892f4080ddd5aaa1a49db3e9

SHA256
417eebd5b19f45c67c94c2d2ba8b774c0fc6d958b896d7b1ac12cf5a0ea06e0e

SHA512
618f6dbb5bd9d44a8f10d119f5ef644f168fe3d8db986994e8cce31d1f11ff9ac872b389d1f218a82ff8b397bface587f97ca21e8f77433dbadb2ac475e9e6c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\{716F3~1\DXRedist\Jun2010_XAudio_x86.cab

Filesize
271KB

MD5
9d2da3b1055120af7c2995896f5d51ed

SHA1
2df40d48c69d7cfb4e0c19f07a019f5f123303fa

SHA256
7b4332207563beba1103744b6db5399ad150e9e6838f9d5a71497e7eb3645ebf

SHA512
deb76247b3003fc59c0a95cc2a47d6dd56e2d75aec81c3ab6ca6c0c513fb054e8025c871e97b7d7f2c823df54a2fe8202f4c0caf677251070b8bce40d2db70f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{716F3~1\DXRedist\Jun2010_d3dx9_43_x86.cab

Filesize
750KB

MD5
7749862c307e527366b6868326db8198

SHA1
bce9f21cdb1e101c7223c9e62eca61ec22d6bb81

SHA256
fcc6cf0966b4853d6fa3d32ab299cde5a9824feaecb0d4f34ea452fb9fd1c867

SHA512
b65a84535b749ade0f8ea1a8ab6239df8e82ad59cbdb07487fdbfcfcf57a565f493f56378e216859a081d23ddf7c671636f53ef821289d66452f09218080f02b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{716F3~1\DXRedist\dxdllreg_x86.cab

Filesize
41KB

MD5
a025c67403dc2c2bcd709aa9435faeb1

SHA1
0433ee289e96a0d83a0c66ec35cf906a3e063884

SHA256
8ad77a4d9c76f65cd62337588f847cc1e0ca6ca9735937f3a781f7395e9566a1

SHA512
56bced81de59d413238b01396fafa6442ef6db0afaf237a699966df4753ed1a0b555450fa308f6965689a67f9fb5efb5d377d5f602a8d453ecceddca41072b45

Download Submit
C:\Users\Admin\AppData\Local\Temp\{716F3~1\DXRedist\dxupdate.cab

Filesize
91KB

MD5
8adf5a3c4bd187052bfa92b34220f4e7

SHA1
b52be74c4489159bd343d3c647f28da1fd13d9b9

SHA256
13393a91201e69e70a9f68d21428453fff3951535dec88f879270269cfe54d6f

SHA512
3e2f2fe4b5742a4cf6ee2f6b8c0ca734fd0b3c5431dff112c907231846dd3eebee7b9b8117f0256119614282cc7a4896474a199563078481d48a1204ca96f92d

Download Submit
C:\Windows\Logs\DirectX.log

Filesize
11KB

MD5
9cfcd9047d6fa660bc24ade7e5f2c6a8

SHA1
c27c9b89b30ecdd8032d5e160893382ac1cec417

SHA256
e357885d8b70d9ce5666de0d138752a45f49e896bb19d2044a96927b4e0674d7

SHA512
87d4f130ff9be98d84a2207efcffea503bfa4b3b90c715112883491588560371a54c940c3b45175ca6f3308eea261eb4060b4a9f0d94f62a4d3299535223ffc8

Download Submit
memory/2732-1174-0x000000001A3E0000-0x000000001A400000-memory.dmp

Filesize
128KB

Download
memory/2732-1175-0x000000001A820000-0x000000001ABF4000-memory.dmp

Filesize
3.8MB

Download
memory/2732-1176-0x000000001AF30000-0x000000001B066000-memory.dmp

Filesize
1.2MB

Download