Windows Analysis Report
Archive.zip

Overview

General Information

Sample name:	Archive.zip
Analysis ID:	1541176
MD5:	c60cd0df4975d745722d1776d5be95b5
SHA1:	f8e2eb05478108eae1f8fa28f70ebb64163d032d
SHA256:	f1ed181ee30a70c0f71aacf7c592be0e6589421bc479e379109c4c3f572bb663
Infos:

Detection

Score:	36
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

Monitors registry run keys for changes

Binary contains a suspicious time stamp

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to detect virtual machines (SLDT)

Contains functionality to modify clipboard data

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops certificate files (DER)

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries keyboard layouts

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Stores files to the Windows start menu directory

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Keylogger Generic

Classification

Signatures

Source: icepdfeditor.exe, 0000001D.00000002.2071338915.000000006B677000.00000002.00000001.01000000.00000010.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_83bb44db-3

Source: C:\Users\user\AppData\Local\Temp\is-3U6N3.tmp\pdf_editor_setup_Downloadly.ir.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.IMPORTANT: THIS SOFTWARE END USER LICENSE AGREEMENT ("EULA") IS A LEGAL AGREEMENT BETWEEN YOU AND ICECREAM APPS LIMITED ("ICECREAMAPPS.COM"). USE OF THE SOFTWARE PROVIDED WITH THIS EULA (THE "SOFTWARE") CONSTITUTES YOUR ACCEPTANCE OF THESE TERMS. READ IT CAREFULLY BEFORE COMPLETING THE INSTALLATION PROCESS AND USING THE SOFTWARE. IF YOU DO NOT AGREE TO THE TERMS OF THIS EULA DO NOT INSTALL AND/OR USE THIS SOFTWARE. BY INSTALLING COPYING OR OTHERWISE USING THE SOFTWARE PRODUCT YOU AGREE TO BE BOUND BY THE TERMS OF THIS EULA. 1. LICENSE GRANT. The Software is licensed on per user basis not per computer site or company. This license is not transferable to any other system or to another organization or individual. You are not allowed to remove any proprietary notices or labels from the SOFTWARE. The PRO license can be used on ONE computer belonging to ONE user. The PRO license applies to the version of the program on which it is activated.2. WARRANTY DISCLAIMER. THIS SOFTWARE AND ANY RELATED DOCUMENTATION is PROVIDED "AS IS" AND COMES WITHOUT ANY WARRANTY EITHER EXPRESS OR IMPLIED INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OR MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. THE USE AND PERFORMANCE OF THIS SOFTWARE ARE SOLELY AT YOUR OWN RISK.3. FREE USE. You may install and use the SOFTWARE free of charge for personal educational (non-profit) use. In these cases you are granted the right to use and to make an unlimited number of copies of this software. Some features of the SOFTWARE may be limited or unavailable in free version of the SOFTWARE. To enable all the features you need to upgrade the SOFTWARE to PRO version. Full list of limited features is presented on Upgrade page of the SOFTWARE at icecreamapps.com.4. COMMERCIAL USE. For usage in corporate or commercial environment you will need to upgrade the SOFTWARE to PRO version by obtaining an activation key at icecreamapps.com. 5. REVERSE ENGINEERING. You agree that you will not attempt to reverse compile modify translate or disassemble the Software in whole or in part. 6. COPYRIGHT. The SOFTWARE is intellectual property of Icecream Apps Ltd and is protected by law. You acknowledge that all intellectual property rights in the SOFTWARE anywhere in the world belong to Icecream Apps Ltd that rights in the SOFTWARE are licensed (not sold) to you and that you have no rights in or to the SOFTWARE other than the right to use them in accordance with the terms of this License. You are not allowed to resell charge for rent lease loan sublicense or assign the SOFTWARE or any copy thereof including any related documentation.7. LIMITATION OF LIABILITY. IN NO EVENT SHALL ICECREAM APPS LTD BE LIABLE FOR ANY SPECIAL INCIDENTAL INDIRECT OR CONSEQUENTIAL DAMAGES WHATSOEVER (IN
Source: C:\Users\user\AppData\Local\Temp\is-3U6N3.tmp\pdf_editor_setup_Downloadly.ir.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.IMPORTANT: THIS SOFTWARE END USER LICENSE AGREEMENT ("EULA") IS A LEGAL AGREEMENT BETWEEN YOU AND ICECREAM APPS LIMITED ("ICECREAMAPPS.COM"). USE OF THE SOFTWARE PROVIDED WITH THIS EULA (THE "SOFTWARE") CONSTITUTES YOUR ACCEPTANCE OF THESE TERMS. READ IT CAREFULLY BEFORE COMPLETING THE INSTALLATION PROCESS AND USING THE SOFTWARE. IF YOU DO NOT AGREE TO THE TERMS OF THIS EULA DO NOT INSTALL AND/OR USE THIS SOFTWARE. BY INSTALLING COPYING OR OTHERWISE USING THE SOFTWARE PRODUCT YOU AGREE TO BE BOUND BY THE TERMS OF THIS EULA. 1. LICENSE GRANT. The Software is licensed on per user basis not per computer site or company. This license is not transferable to any other system or to another organization or individual. You are not allowed to remove any proprietary notices or labels from the SOFTWARE. The PRO license can be used on ONE computer belonging to ONE user. The PRO license applies to the version of the program on which it is activated.2. WARRANTY DISCLAIMER. THIS SOFTWARE AND ANY RELATED DOCUMENTATION is PROVIDED "AS IS" AND COMES WITHOUT ANY WARRANTY EITHER EXPRESS OR IMPLIED INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OR MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. THE USE AND PERFORMANCE OF THIS SOFTWARE ARE SOLELY AT YOUR OWN RISK.3. FREE USE. You may install and use the SOFTWARE free of charge for personal educational (non-profit) use. In these cases you are granted the right to use and to make an unlimited number of copies of this software. Some features of the SOFTWARE may be limited or unavailable in free version of the SOFTWARE. To enable all the features you need to upgrade the SOFTWARE to PRO version. Full list of limited features is presented on Upgrade page of the SOFTWARE at icecreamapps.com.4. COMMERCIAL USE. For usage in corporate or commercial environment you will need to upgrade the SOFTWARE to PRO version by obtaining an activation key at icecreamapps.com. 5. REVERSE ENGINEERING. You agree that you will not attempt to reverse compile modify translate or disassemble the Software in whole or in part. 6. COPYRIGHT. The SOFTWARE is intellectual property of Icecream Apps Ltd and is protected by law. You acknowledge that all intellectual property rights in the SOFTWARE anywhere in the world belong to Icecream Apps Ltd that rights in the SOFTWARE are licensed (not sold) to you and that you have no rights in or to the SOFTWARE other than the right to use them in accordance with the terms of this License. You are not allowed to resell charge for rent lease loan sublicense or assign the SOFTWARE or any copy thereof including any related documentation.7. LIMITATION OF LIABILITY. IN NO EVENT SHALL ICECREAM APPS LTD BE LIABLE FOR ANY SPECIAL INCIDENTAL INDIRECT OR CONSEQUENTIAL DAMAGES WHATSOEVER (IN

Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.17:49697 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.17:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.17:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.190.159.64:443 -> 192.168.2.17:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.209.154:443 -> 192.168.2.17:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.17:49713 version: TLS 1.2

Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtiff.pdbDD source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.00000000066EE000.00000004.00001000.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000002.2078018129.000000006C31E000.00000002.00000001.01000000.0000002A.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtsvg\plugins\imageformats\qsvg.pdb source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.0000000006694000.00000004.00001000.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000002.2101748504.000000006FBD3000.00000002.00000001.01000000.00000028.sdmp
Source:	Binary string: D:\CFILES\Projects\WinSSL\openssl-1.1.1h\libcrypto-1_1.pdb source: icepdfeditor.exe, 0000001D.00000002.2090008272.000000006C5BF000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: d:\agent\_work\6\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: icepdfeditor.exe, 0000001D.00000002.1988715143.000000006A461000.00000020.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdb source: icepdfeditor.exe, 0000001D.00000002.2001625548.000000006A902000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtiff.pdb source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.00000000066EE000.00000004.00001000.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000002.2078018129.000000006C31E000.00000002.00000001.01000000.0000002A.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qico.pdb source: icepdfeditor.exe, 0000001D.00000002.2102244107.000000006FBE4000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: d:\agent\_work\6\s\\binaries\x86ret\bin\i386\\msvcp140_1.i386.pdb source: icepdfeditor.exe, 0000001D.00000002.2100429892.000000006C7B1000.00000020.00000001.01000000.0000001B.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qgif.pdb source: icepdfeditor.exe, 0000001D.00000002.2103264195.000000006FC45000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Network.pdb source: icepdfeditor.exe, 0000001D.00000002.2013235487.000000006AAE3000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\Work\PdfEditor\icepdfeditor-Desktop_Qt_5_15_1_MSVC2019_32bit\bin\icepdfeditor.pdb source: icepdfeditor.exe, 00000002.00000000.1138515703.0000000000B87000.00000002.00000001.01000000.00000003.sdmp, icepdfeditor.exe, 00000014.00000000.1365606055.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, icepdfeditor.exe, 0000001D.00000000.1687836054.00000000010A2000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtga.pdb source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.0000000006694000.00000004.00001000.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000002.2101290482.000000006FBC3000.00000002.00000001.01000000.00000029.sdmp
Source:	Binary string: D:\CFILES\Projects\WinSSL\openssl-1.1.1h\libssl-1_1.pdb@@ source: icepdfeditor.exe, 0000001D.00000002.2099319800.000000006C660000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\styles\qwindowsvistastyle.pdb''! source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.00000000060A0000.00000004.00001000.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000002.1971413309.0000000069E86000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: compiler: cl /Z7 /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -D_USE_32BIT_TIME_T -D_USING_V110_SDK71_ -D_WINSOCK_DEPRECATED_NO_WARNINGS -D_WIN32_WINNT=0x0501 source: icepdfeditor.exe, 0000001D.00000002.2090008272.000000006C556000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb source: icepdfeditor.exe, 0000001D.00000002.2067897717.000000006B5F7000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qicns.pdb source: icepdfeditor.exe, 0000001D.00000002.2102793776.000000006FC36000.00000002.00000001.01000000.00000025.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qgif.pdb!! source: icepdfeditor.exe, 0000001D.00000002.2103264195.000000006FC45000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\styles\qwindowsvistastyle.pdb source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.00000000060A0000.00000004.00001000.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000002.1971413309.0000000069E86000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qwebp.pdb source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.00000000066EE000.00000004.00001000.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000002.2075960195.000000006C2B7000.00000002.00000001.01000000.0000002C.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qico.pdb"" source: icepdfeditor.exe, 0000001D.00000002.2102244107.000000006FBE4000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: msvcr120.i386.pdb source: icepdfeditor.exe, 0000001D.00000002.1982989536.000000006A2F1000.00000020.00000001.01000000.0000001A.sdmp
Source:	Binary string: msvcp120.i386.pdb source: icepdfeditor.exe, 0000001D.00000002.1986865023.000000006A3E1000.00000020.00000001.01000000.00000019.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdbV source: icepdfeditor.exe, 0000001D.00000002.2001625548.000000006A902000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtwinextras\lib\Qt5WinExtras.pdb source: icepdfeditor.exe, 0000001D.00000002.2065581136.000000006B596000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\CFILES\Projects\WinSSL\openssl-1.1.1h\libssl-1_1.pdb source: icepdfeditor.exe, 0000001D.00000002.2099319800.000000006C660000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Gui.pdb source: icepdfeditor.exe, 0000001D.00000002.2028019665.000000006AEAF000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: d:\agent\_work\6\s\\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: icepdfeditor.exe, 0000001D.00000002.1989207627.000000006A481000.00000020.00000001.01000000.00000017.sdmp
Source:	Binary string: @ compiler: cl /Z7 /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -D_USE_32BIT_TIME_T -D_USING_V110_SDK71_ -D_WINSOCK_DEPRECATED_NO_WARNINGS -D_WIN32_WINNT=0x0501OpenSSL 1.1.1h 22 Sep 2020built on: Wed Sep 23 11:25:01 2020 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "C:\Program Files (x86)\OpenSSL\lib\engines-1_1"not availabledes(long) source: icepdfeditor.exe, 0000001D.00000002.2090008272.000000006C556000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: E:\distr\development\crashrpt\CrashRpt_v.1.4.3_r1645\bin\CrashRpt1403.pdb source: icepdfeditor.exe, 0000001D.00000002.2073061037.000000006B6AF000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qjpeg.pdbTT source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.0000000006694000.00000004.00001000.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000002.2080740262.000000006C386000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: E:\distr\development\crashrpt\CrashRpt_v.1.4.3_r1645\bin\CrashSender.pdb source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.00000000060A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtwinextras\lib\Qt5WinExtras.pdb00! source: icepdfeditor.exe, 0000001D.00000002.2065581136.000000006B596000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb,, source: icepdfeditor.exe, 0000001D.00000002.2067897717.000000006B5F7000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Widgets.pdb source: icepdfeditor.exe, 0000001D.00000002.2053745689.000000006B3B7000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\platforms\qwindows.pdb source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.00000000066EE000.00000004.00001000.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000002.1979732769.0000000069FDD000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qjpeg.pdb source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.0000000006694000.00000004.00001000.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000002.2080740262.000000006C386000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qwbmp.pdb source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.00000000066EE000.00000004.00001000.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000002.2100854859.000000006FBB3000.00000002.00000001.01000000.0000002B.sdmp

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe	Code function: 19_2_0040A3B8 FindFirstFileA,GetLastError,	19_2_0040A3B8
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe	Code function: 19_2_0040A07E FindFirstFileA,FindClose,	19_2_0040A07E
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe	Code function: 19_2_0040A190 FindFirstFileA,FindClose,	19_2_0040A190
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe	Code function: 19_2_00406490 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	19_2_00406490

Source: chrome.exe

Memory has grown: Private usage: 7MB later: 28MB

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /ab HTTP/1.1Host: evoke-windowsservices-tas.msedge.netCache-Control: no-store, no-cacheX-PHOTOS-CALLERID: 9NMPJ99VJBWVX-EVOKE-RING: X-WINNEXT-RING: PublicX-WINNEXT-TELEMETRYLEVEL: BasicX-WINNEXT-OSVERSION: 10.0.19045.0X-WINNEXT-APPVERSION: 1.23082.131.0X-WINNEXT-PLATFORM: DesktopX-WINNEXT-CANTAILOR: FalseX-MSEDGE-CLIENTID: {c1afbad7-f7da-40f2-92f9-8846a91d69bd}X-WINNEXT-PUBDEVICEID: dbfen2nYS7HW6ON4OdOknKxxv2CCI5LJBTojzDztjwI=If-None-Match: 2056388360_-1434155563Accept-Encoding: gzip, deflate, br

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 92.223.124.62 92.223.124.62

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27

Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=x9SUlfM75X4bzF8&MD=Foo2cD4g HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /ab HTTP/1.1Host: evoke-windowsservices-tas.msedge.netCache-Control: no-store, no-cacheX-PHOTOS-CALLERID: 9NMPJ99VJBWVX-EVOKE-RING: X-WINNEXT-RING: PublicX-WINNEXT-TELEMETRYLEVEL: BasicX-WINNEXT-OSVERSION: 10.0.19045.0X-WINNEXT-APPVERSION: 1.23082.131.0X-WINNEXT-PLATFORM: DesktopX-WINNEXT-CANTAILOR: FalseX-MSEDGE-CLIENTID: {c1afbad7-f7da-40f2-92f9-8846a91d69bd}X-WINNEXT-PUBDEVICEID: dbfen2nYS7HW6ON4OdOknKxxv2CCI5LJBTojzDztjwI=If-None-Match: 2056388360_-1434155563Accept-Encoding: gzip, deflate, br
Source: global traffic	HTTP traffic detected: GET /client/config?cc=CH&setlang=en-CH HTTP/1.1X-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateAccept-Encoding: gzip, deflateX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-UserAgeClass: UnknownX-BM-Market: CHX-BM-DateFormat: dd/MM/yyyyX-Device-OSSKU: 48X-BM-DTZ: -240X-DeviceID: 01000A41090080B6X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Search-TimeZone: Bias=300; DaylightBias=-60; TimeZoneKeyName=Eastern Standard TimeX-BM-Theme: 000000;0078d7X-Search-RPSToken: t%3DEwDoAkR8BAAUcvamItSE/vUHpyZRp3BeyOJPQDsAAVkny3l8ADmu2b%2BEKKgzCpdTAWFDUfQu6sWyczB%2BfWyiQm4dLJoGC3v2bPV21Kqef8rxlKD68%2BLYFpCyxvv8jPDVg6hQFB9x/VUkTw5FiK9YI6bQFpazgHSjzaKaJQurF%2BTLIGvKfusQS1iWjoRhE8zgVgtN9U85w06NQL/7LfhN6s5XGb8uQ4JrZGHEq8f5uf0EAJKrbX%2BdfzMCPGY6srpGMUfBCQ1h5IrPLf9IPd9LYJsr9vUNXZAN4fP/PYoSQOE9dF025nmqRozekVT7MBBhnWD6gKz4IGR4SV3igJaIRrlFmbaMFFZkahBmHv4BN/95jYoox6u9ikKlWI574LUQZgAAEHyBpcfvcRVb34lM2kYbMC6wATSCqNC9%2BSzjtig7VScBAHn/SP0CO04%2BclPjHV6QSG12UUzG0pflF%2BXwt9ft420zzNVL5KlixrnpPNRmvJuSKrTOQfedTaagQLvmLx9BYZeKNgqiT1IltQ2tixFvOhtBSpCzqQdwJdi/9LPYxc6N02NicgV5QzBpuOh7/RbB98wUSZgrPIpukABMa1ysLAlagyXOQM/fy//68h0F2lv9cFU7FLVY2MAxpqATUTLoqywbGCeKqCcAhDN%2BtxbGjg/pGKzeFZ8AKuZNwwGv/vG7u1Pi71iBwR2wo1NoRKUOb/uEeUxKo0u77uiWpMe5%2Bx0RG6l9UnY/0XYz9vdDsIIfPJ9fpxE7RP6hLxAb4Q39SEYfuc/SrK1ura%2BQc5hnCK0Yo92dqDQHc43/%2ByKmt2FbvrNPFBCWah62EjLXykT8Dx4p4D3R0Ux/d9j%2B5acObnVoy4POdtm6vLt58F%2BF6ki0nChZkj2A0EszEouSKlgc4A1dBFfg5Q/74Xhr%2BTF5SJkCuHVWwzT9m9UkzCw6Zgifu/O3bgjd7niGijpTmXIEpKgWjd2LINbl/WxwDZOdz5SVmdoB%26p%3DX-Agent-DeviceId: 01000A41090080B6X-BM-CBT: 1729773762User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045X-Device-isOptin: falseAccept-language: en-GB, en, en-USX-Device-Touch: falseX-Device-ClientSession: BC21A450E04C4969947AF78C26526D18X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIHost: www.bing.comConnection: Keep-AliveCookie: SRCHUID=V=2&GUID=C4EAB6C130004333A34B5668AE4E4D10&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20240207; SRCHHPGUSR=SRCHLANG=en; MUID=4590362BB5CF472B95BBEDB3112D4B7B; MUIDB=4590362BB5CF472B95BBEDB3112D4B7B
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=x9SUlfM75X4bzF8&MD=Foo2cD4g HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /PDF-Editor/thankyou.html?v=3.27 HTTP/1.1Host: icecreamapps.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /www/images/content/thank2.svg HTTP/1.1Host: icecreamapps.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://icecreamapps.com/PDF-Editor/thankyou.html?v=3.27Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=h19tt2k3grrssobbu73hh3ucle; ic_d=671a40e799a863.45409504
Source: global traffic	HTTP traffic detected: GET /www/images/content/thank.svg HTTP/1.1Host: icecreamapps.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://icecreamapps.com/PDF-Editor/thankyou.html?v=3.27Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=h19tt2k3grrssobbu73hh3ucle; ic_d=671a40e799a863.45409504
Source: global traffic	HTTP traffic detected: GET /www/images/content/illustration-box.svg HTTP/1.1Host: icecreamapps.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://icecreamapps.com/PDF-Editor/thankyou.html?v=3.27Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=h19tt2k3grrssobbu73hh3ucle; ic_d=671a40e799a863.45409504
Source: global traffic	HTTP traffic detected: GET /www/index.css?f12bd40a HTTP/1.1Host: static.icecreamapps.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://icecreamapps.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ic_d=671a40e799a863.45409504
Source: global traffic	HTTP traffic detected: GET /www/images/content/header-logo.svg HTTP/1.1Host: static.icecreamapps.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://icecreamapps.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ic_d=671a40e799a863.45409504
Source: global traffic	HTTP traffic detected: GET /www/images/content/icecreams_bg.svg HTTP/1.1Host: static.icecreamapps.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://icecreamapps.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ic_d=671a40e799a863.45409504
Source: global traffic	HTTP traffic detected: GET /www/images/content/thank2.svg HTTP/1.1Host: icecreamapps.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=h19tt2k3grrssobbu73hh3ucle; ic_d=671a40e799a863.45409504
Source: global traffic	HTTP traffic detected: GET /www/images/content/thank.svg HTTP/1.1Host: icecreamapps.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=h19tt2k3grrssobbu73hh3ucle; ic_d=671a40e799a863.45409504
Source: global traffic	HTTP traffic detected: GET /www/images/content/illustration-box.svg HTTP/1.1Host: icecreamapps.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=h19tt2k3grrssobbu73hh3ucle; ic_d=671a40e799a863.45409504
Source: global traffic	HTTP traffic detected: GET /www/images/content/icecreams_bg.svg HTTP/1.1Host: static.icecreamapps.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ic_d=671a40e799a863.45409504
Source: global traffic	HTTP traffic detected: GET /www/images/content/header-logo.svg HTTP/1.1Host: static.icecreamapps.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ic_d=671a40e799a863.45409504
Source: global traffic	HTTP traffic detected: GET /www/webpack_sprite.css-0c046a40.712f8ffc.svg HTTP/1.1Host: static.icecreamapps.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://static.icecreamapps.com/www/index.css?f12bd40aAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ic_d=671a40e799a863.45409504
Source: global traffic	HTTP traffic detected: GET /www/webpack_sprite2-bf5a251c.04e5ea75.svg HTTP/1.1Host: static.icecreamapps.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://static.icecreamapps.com/www/index.css?f12bd40aAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ic_d=671a40e799a863.45409504
Source: global traffic	HTTP traffic detected: GET /www/images/content/star_bg.svg HTTP/1.1Host: static.icecreamapps.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://static.icecreamapps.com/www/index.css?f12bd40aAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ic_d=671a40e799a863.45409504
Source: global traffic	HTTP traffic detected: GET /www/images/content/wave_bg.svg HTTP/1.1Host: static.icecreamapps.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://static.icecreamapps.com/www/index.css?f12bd40aAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ic_d=671a40e799a863.45409504
Source: global traffic	HTTP traffic detected: GET /www/images/home-page-images/pdf-editor.png HTTP/1.1Host: static.icecreamapps.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://icecreamapps.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ic_d=671a40e799a863.45409504
Source: global traffic	HTTP traffic detected: GET /www/images/home-page-images/video-editor.png HTTP/1.1Host: static.icecreamapps.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://icecreamapps.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ic_d=671a40e799a863.45409504

Source: icepdfeditor.exe, 0000001D.00000002.2013235487.000000006AAE3000.00000002.00000001.01000000.00000013.sdmp

String found in binary or memory: j04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1email.google.comf5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06www.google.comd7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3login.yahoo.com39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:293e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47login.skype.com92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43addons.mozilla.orgb0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0login.live.comd8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0global trustee05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56*.google.com0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4cDigiNotar Root CAf1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49DigiNotar Services CA36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38DigiNotar Services 1024 CA0a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3eDigiNotar Root CA G2a4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21CertiID Enterprise Certificate Authority5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41DigiNotar Qualified CA46:9c:2c:b007:27:10:0dDigiNotar Cyber CA07:27:0f:f907:27:10:0301:31:69:b0DigiNotar PKIoverheid CA Overheid en Bedrijven01:31:34:bfDigiNotar PKIoverheid CA Organisatie - G2d6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4DigiNotar Extended Validation CA1e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04DigiNotar Public CA 202546:9c:2c:af46:9c:3c:c907:27:14:a9Digisign Server ID (Enrich)4c:0e:63:6aDigisign Server ID - (Enrich)72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0UTN-USERFirst-Hardware41MD5 Collisions Inc. (http://www.phreedom.org/md5)08:27*.EGO.GOV.TR08:64e-islem.kktcmerkezbankasi.org03:1d:a7AC DG Tr equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: icecreamapps.com
Source: global traffic	DNS traffic detected: DNS query: static.icecreamapps.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown

HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com

Source: icepdfeditor.exe, 0000001D.00000002.2013235487.000000006AAE3000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://bugreports.qt.io/
Source: icepdfeditor.exe, 0000001D.00000002.2013235487.000000006AAE3000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://bugreports.qt.io/_q_receiveReplyensureClientPrefaceSentMicrosoft-IIS/4.Microsoft-IIS/5.Netsca
Source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.00000000060A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://code.google.com/p/crashrpt/wiki/FAQ
Source: pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1435886831.00000000024B0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000016.00000003.1440126752.0000000003300000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000018.00000003.1709866734.0000000002805000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1700066060.00000000035E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://counter-strike.com.ua/
Source: Patch.exe, 00000013.00000003.2107417937.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1437601534.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1436932557.00000000025E3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0V
Source: Patch.exe, 00000013.00000003.2107417937.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1437601534.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1436932557.00000000025E3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
Source: Patch.exe, 00000013.00000003.2107417937.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1437601534.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1436932557.00000000025E3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Patch.exe, 00000013.00000003.2107417937.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1437601534.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1436932557.00000000025E3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: Patch.exe, 00000013.00000003.2107417937.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1437601534.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1436932557.00000000025E3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.0000000006694000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.00000000060A0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.00000000066EE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Patch.exe, 00000013.00000003.2107417937.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1437601534.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1436932557.00000000025E3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: Patch.exe, 00000013.00000003.2107417937.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1437601534.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1436932557.00000000025E3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: Patch.exe, 00000013.00000002.2289932697.00000000005FB000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: http://fontawesome.io
Source: Patch.exe, 00000013.00000002.2289932697.00000000005FB000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: http://fontawesome.io/license/
Source: Patch.exe, 00000013.00000002.2289932697.00000000005FB000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: http://fontawesome.iohttp://fontawesome.iohttp://fontawesome.io/license/http://fontawesome.io/licens
Source: pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1719881895.0000000002304000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000016.00000003.1715138735.00000000023F4000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000018.00000003.1711123378.0000000002334000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1701495714.0000000002414000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://icecreamapps.com/PDF-Editor/
Source: pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1435886831.00000000024B0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000016.00000003.1440126752.0000000003300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://icecreamapps.com/PDF-Editor/Fhttp://icecreamapps.com/PDF-Editor/Fhttp://icecreamapps.com/PDF-
Source: pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1719881895.0000000002304000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://icecreamapps.com/PDF-Editor/QN0
Source: pdf_editor_setup_Downloadly.ir.exe, 00000018.00000003.1711123378.0000000002334000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://icecreamapps.com/PDF-Editor/QN3
Source: icepdfeditor.exe, 0000001D.00000003.1913766286.000000000162B000.00000004.00000020.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000002.1945397183.0000000001630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://icecreamapps.com/act/crashfix/index.php/crashReport/uploadExternal
Source: icepdfeditor.exe, 0000001D.00000002.1945785929.0000000001641000.00000004.00000020.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000003.1913766286.0000000001641000.00000004.00000020.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000003.1918843286.0000000001641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://icecreamapps.com/act/crashfix/index.php/crashReport/uploadExternal:0
Source: icepdfeditor.exe, 00000002.00000000.1138515703.0000000000B87000.00000002.00000001.01000000.00000003.sdmp, icepdfeditor.exe, 00000014.00000000.1365606055.0000000000EE3000.00000002.00000001.01000000.00000003.sdmp, icepdfeditor.exe, 0000001D.00000000.1687836054.0000000001083000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://icecreamapps.com/act/crashfix/index.php/crashReport/uploadExternalCould
Source: icepdfeditor.exe, 0000001D.00000002.1960167865.0000000006E10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adC
Source: icepdfeditor.exe	String found in binary or memory: http://ns.ado
Source: icepdfeditor.exe	String found in binary or memory: http://ns.adobe
Source: Patch.exe, 00000013.00000003.2107417937.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1437601534.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1436932557.00000000025E3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: Patch.exe, 00000013.00000003.2107417937.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1437601534.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1436932557.00000000025E3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
Source: Patch.exe, 00000013.00000003.2107417937.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1437601534.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1436932557.00000000025E3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: Patch.exe, 00000013.00000003.2107417937.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1437601534.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1436932557.00000000025E3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.0000000006694000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.00000000060A0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.00000000066EE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: Patch.exe, 00000013.00000003.2107417937.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1437601534.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1436932557.00000000025E3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: Patch.exe, 00000013.00000003.2107417937.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1437601534.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1436932557.00000000025E3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
Source: Patch.exe, 00000013.00000003.2107417937.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1437601534.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1436932557.00000000025E3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.0000000006694000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.00000000060A0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.00000000066EE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.0000000006694000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.00000000060A0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.00000000066EE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://t2.symcb.com0
Source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.0000000006694000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.00000000060A0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.00000000066EE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.0000000006694000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.00000000060A0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.00000000066EE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.0000000006694000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.00000000060A0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.00000000066EE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tl.symcd.com0&
Source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.0000000006694000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.00000000060A0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.00000000066EE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.0000000006694000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.00000000060A0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.00000000066EE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.0000000006694000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.00000000060A0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.00000000066EE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: icepdfeditor.exe, 00000002.00000000.1138515703.0000000000B87000.00000002.00000001.01000000.00000003.sdmp, icepdfeditor.exe, 00000014.00000000.1365606055.0000000000E4A000.00000002.00000001.01000000.00000003.sdmp, icepdfeditor.exe, 0000001D.00000002.1969043711.000000000A1BA000.00000004.00000020.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000003.1817899487.000000000A18C000.00000004.00000020.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000003.1865136845.000000000A1B8000.00000004.00000020.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000002.1943132606.0000000000FE7000.00000002.00000001.01000000.0000000E.sdmp, icepdfeditor.exe, 0000001D.00000000.1687836054.0000000000FEA000.00000002.00000001.01000000.0000000E.sdmp, icepdfeditor.exe, 0000001D.00000003.1893304822.000000000A1BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updates.icecreamapps.com/check.php
Source: icepdfeditor.exe, 00000002.00000000.1138515703.0000000000B87000.00000002.00000001.01000000.00000003.sdmp, icepdfeditor.exe, 00000014.00000000.1365606055.0000000000E4A000.00000002.00000001.01000000.00000003.sdmp, icepdfeditor.exe, 0000001D.00000002.1943132606.0000000000FE7000.00000002.00000001.01000000.0000000E.sdmp, icepdfeditor.exe, 0000001D.00000000.1687836054.0000000000FEA000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://updates.icecreamapps.com/check.phphttps://icecreamapps.comhttps://icecreamapps.com/PDF-Editor
Source: icepdfeditor.exe, 0000001D.00000002.1960167865.0000000006E10000.00000004.00000020.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000002.2028019665.000000006AEAF000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: icepdfeditor.exe, 0000001D.00000002.1960167865.0000000006E10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/N
Source: icepdfeditor.exe, 0000001D.00000002.1944278540.00000000015FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/iveEventnd:
Source: icepdfeditor.exe, 0000001D.00000003.1933039472.0000000005E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: icepdfeditor.exe, 0000001D.00000003.1933039472.0000000005E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: icepdfeditor.exe, 0000001D.00000002.2028019665.000000006AEAF000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://www.color.org)
Source: pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1435886831.00000000024B0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000016.00000003.1440126752.0000000003300000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000018.00000003.1711123378.0000000002220000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1701495714.0000000002300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dk-soft.org/
Source: icepdfeditor.exe, 0000001D.00000003.1933039472.0000000005E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: icepdfeditor.exe, 0000001D.00000003.1933039472.0000000005E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: icepdfeditor.exe, 0000001D.00000003.1933039472.0000000005E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: icepdfeditor.exe, 0000001D.00000003.1933039472.0000000005E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: icepdfeditor.exe, 0000001D.00000003.1933039472.0000000005E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: icepdfeditor.exe, 0000001D.00000003.1933039472.0000000005E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: icepdfeditor.exe, 0000001D.00000003.1933039472.0000000005E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: icepdfeditor.exe, 0000001D.00000003.1933039472.0000000005E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: icepdfeditor.exe, 0000001D.00000003.1933039472.0000000005E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: icepdfeditor.exe, 0000001D.00000003.1933039472.0000000005E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: icepdfeditor.exe, 0000001D.00000003.1933039472.0000000005E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: icepdfeditor.exe, 0000001D.00000003.1933039472.0000000005E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: icepdfeditor.exe, 0000001D.00000003.1933039472.0000000005E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: icepdfeditor.exe, 0000001D.00000003.1933039472.0000000005E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: icepdfeditor.exe, 0000001D.00000003.1933039472.0000000005E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1436932557.00000000024B0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1437601534.000000007FD10000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000016.00000000.1438701182.0000000000401000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: icepdfeditor.exe, 0000001D.00000003.1734374953.0000000004C85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: icepdfeditor.exe, 0000001D.00000003.1734374953.0000000004C85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/&
Source: icepdfeditor.exe, 0000001D.00000003.1734374953.0000000004C85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/-
Source: icepdfeditor.exe, 0000001D.00000003.1737462276.0000000004C8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/C
Source: icepdfeditor.exe, 0000001D.00000003.1734374953.0000000004C85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/b
Source: icepdfeditor.exe, 0000001D.00000003.1737462276.0000000004C8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: icepdfeditor.exe, 0000001D.00000003.1737462276.0000000004C8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/&
Source: icepdfeditor.exe, 0000001D.00000003.1737462276.0000000004C8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/-
Source: icepdfeditor.exe, 0000001D.00000003.1737462276.0000000004C8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/k
Source: icepdfeditor.exe, 0000001D.00000003.1737462276.0000000004C8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/on
Source: icepdfeditor.exe, 0000001D.00000003.1737462276.0000000004C8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/r
Source: icepdfeditor.exe, 0000001D.00000003.1734374953.0000000004C85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/x
Source: pdf_editor_setup_Downloadly.ir.exe, 00000015.00000000.1435155031.0000000000401000.00000020.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1435886831.00000000024B0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1719881895.00000000022C1000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000016.00000003.1440126752.0000000003300000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1704845723.0000000000883000.00000004.00000020.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1704796702.0000000003733000.00000004.00000020.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1701495714.0000000002300000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1700066060.0000000003521000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.mpegla.com
Source: pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1435886831.00000000024B0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000016.00000003.1440126752.0000000003300000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000018.00000003.1711123378.0000000002220000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1700066060.00000000035E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.palkornel.hu/innosetup%1
Source: icepdfeditor.exe, 0000001D.00000002.2013235487.000000006AAE3000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://www.phreedom.org/md5)
Source: icepdfeditor.exe, 0000001D.00000002.2013235487.000000006AAE3000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://www.phreedom.org/md5)08:27
Source: pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1436932557.00000000024B0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1437601534.000000007FD10000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000016.00000000.1438701182.0000000000401000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: icepdfeditor.exe, 0000001D.00000003.1761046440.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000003.1910520523.0000000003E4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.c31
Source: icepdfeditor.exe, 0000001D.00000003.1711553418.0000000004C90000.00000004.00000020.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000003.1710437373.0000000004C99000.00000004.00000020.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000003.1710079274.0000000004C99000.00000004.00000020.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000003.1711915994.0000000004C90000.00000004.00000020.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000003.1709402150.0000000004C90000.00000004.00000020.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000003.1709646756.0000000004C9A000.00000004.00000020.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000003.1710283270.0000000004C99000.00000004.00000020.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000003.1933039472.0000000005E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: icepdfeditor.exe, 0000001D.00000003.1933039472.0000000005E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: icepdfeditor.exe, 0000001D.00000003.1933039472.0000000005E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: icepdfeditor.exe, 0000001D.00000003.1933039472.0000000005E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: icepdfeditor.exe, 0000001D.00000003.1933039472.0000000005E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: icepdfeditor.exe, 0000001D.00000003.1933039472.0000000005E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.00000000060A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: icepdfeditor.exe, 0000001D.00000003.1933039472.0000000005E72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: icepdfeditor.exe, 0000001D.00000002.2071954494.000000006B68A000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://curl.se/V
Source: icepdfeditor.exe, 0000001D.00000002.2071338915.000000006B677000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: icepdfeditor.exe, 0000001D.00000002.2071954494.000000006B68A000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://curl.se/docs/copyright.htmlD
Source: icepdfeditor.exe, 0000001D.00000002.2071338915.000000006B677000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: icepdfeditor.exe, 0000001D.00000002.2071338915.000000006B677000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: icepdfeditor.exe, 00000002.00000000.1138515703.0000000000B87000.00000002.00000001.01000000.00000003.sdmp, icepdfeditor.exe, 00000014.00000000.1365606055.0000000000EE3000.00000002.00000001.01000000.00000003.sdmp, icepdfeditor.exe, 0000001D.00000000.1687836054.0000000001083000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://data.icecreamapps.com
Source: icepdfeditor.exe, 0000001D.00000003.1890727567.0000000003E25000.00000004.00000020.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000002.1952704771.0000000003E25000.00000004.00000020.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000003.1764982543.0000000003E0E000.00000004.00000020.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000003.1911993165.0000000003E23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://data.icecreamapps.com-
Source: icepdfeditor.exe, 00000002.00000000.1138515703.0000000000B87000.00000002.00000001.01000000.00000003.sdmp, icepdfeditor.exe, 00000014.00000000.1365606055.0000000000EE3000.00000002.00000001.01000000.00000003.sdmp, icepdfeditor.exe, 0000001D.00000000.1687836054.0000000001083000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://data.icecreamapps.com/?pid=%1&ver=%2&dev=%3Send
Source: icepdfeditor.exe, 00000002.00000000.1138515703.0000000000B87000.00000002.00000001.01000000.00000003.sdmp, icepdfeditor.exe, 00000014.00000000.1365606055.0000000000EE3000.00000002.00000001.01000000.00000003.sdmp, icepdfeditor.exe, 0000001D.00000000.1687836054.0000000001083000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://google.ru
Source: icepdfeditor.exe, 00000002.00000000.1138515703.0000000000B87000.00000002.00000001.01000000.00000003.sdmp, icepdfeditor.exe, 00000014.00000000.1365606055.0000000000EE3000.00000002.00000001.01000000.00000003.sdmp, icepdfeditor.exe, 0000001D.00000000.1687836054.0000000001083000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://google.ruSome
Source: icepdfeditor.exe, 00000002.00000000.1138515703.0000000000B87000.00000002.00000001.01000000.00000003.sdmp, Patch.exe, Patch.exe, 00000013.00000002.2289932697.0000000000401000.00000040.00000001.01000000.00000007.sdmp, icepdfeditor.exe, 00000014.00000000.1365606055.0000000000E4A000.00000002.00000001.01000000.00000003.sdmp, icepdfeditor.exe, 0000001D.00000002.1943132606.0000000000FE7000.00000002.00000001.01000000.0000000E.sdmp, icepdfeditor.exe, 0000001D.00000000.1687836054.0000000000FEA000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://icecreamapps.com
Source: icepdfeditor.exe, 00000002.00000000.1138515703.0000000000B87000.00000002.00000001.01000000.00000003.sdmp, icepdfeditor.exe, 00000014.00000000.1365606055.0000000000E4A000.00000002.00000001.01000000.00000003.sdmp, icepdfeditor.exe, 0000001D.00000002.1943132606.0000000000FE7000.00000002.00000001.01000000.0000000E.sdmp, icepdfeditor.exe, 0000001D.00000000.1687836054.0000000000FEA000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://icecreamapps.com/Howto/how-to-make-icecream-pdf-editor-your-default-PDF-reader.html
Source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1701495714.0000000002414000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://icecreamapps.com/PDF-Editor
Source: icepdfeditor.exe, 00000002.00000000.1138515703.0000000000B87000.00000002.00000001.01000000.00000003.sdmp, icepdfeditor.exe, 00000014.00000000.1365606055.0000000000E4A000.00000002.00000001.01000000.00000003.sdmp, icepdfeditor.exe, 0000001D.00000002.1943132606.0000000000FE7000.00000002.00000001.01000000.0000000E.sdmp, icepdfeditor.exe, 0000001D.00000003.1918222447.000000000A06D000.00000004.00000020.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000000.1687836054.0000000000FEA000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://icecreamapps.com/PDF-Editor/changelog.html
Source: icepdfeditor.exe, 0000001D.00000003.1918222447.000000000A06D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icecreamapps.com/PDF-Editor/changelog.htmlBs
Source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1704845723.0000000000883000.00000004.00000020.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1451721184.00000000033EE000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1699316350.00000000008DF000.00000004.00000020.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1700066060.00000000035AC000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000002.1706424936.0000000000883000.00000004.00000020.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1700066060.00000000035BB000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1703731584.00000000008EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icecreamapps.com/PDF-Editor/thankyou.html?v=3.27
Source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1704845723.0000000000883000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icecreamapps.com/PDF-Editor/thankyou.html?v=3.27#wdG
Source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1704845723.0000000000883000.00000004.00000020.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000002.1706424936.0000000000883000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icecreamapps.com/PDF-Editor/thankyou.html?v=3.27=prF
Source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000002.1705675028.00000000006E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icecreamapps.com/PDF-Editor/thankyou.html?v=3.27C:
Source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1699316350.00000000008C0000.00000004.00000020.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1703731584.00000000008D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icecreamapps.com/PDF-Editor/thankyou.html?v=3.27X
Source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1699316350.00000000008C0000.00000004.00000020.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1703731584.00000000008D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icecreamapps.com/PDF-Editor/thankyou.html?v=3.27h
Source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1699316350.00000000008C0000.00000004.00000020.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1703731584.00000000008D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icecreamapps.com/PDF-Editor/thankyou.html?v=3.27r
Source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1699316350.00000000008DF000.00000004.00000020.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1703731584.00000000008EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icecreamapps.com/PDF-Editor/thankyou.html?v=3.27u
Source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1699316350.00000000008C0000.00000004.00000020.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1703731584.00000000008D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icecreamapps.com/PDF-Editor/thankyou.html?v=3.27x
Source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1700066060.0000000003521000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://icecreamapps.com/PDF-Editor/uninstall.html?v=3.27
Source: icepdfeditor.exe, 0000001D.00000003.1918222447.000000000A06D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icecreamapps.com/PDF-Editor/upgrade.html1)
Source: icepdfeditor.exe, 00000002.00000000.1138515703.0000000000B87000.00000002.00000001.01000000.00000003.sdmp, icepdfeditor.exe, 00000014.00000000.1365606055.0000000000E4A000.00000002.00000001.01000000.00000003.sdmp, icepdfeditor.exe, 0000001D.00000002.1944278540.00000000015FE000.00000004.00000020.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000002.1943132606.0000000000FE7000.00000002.00000001.01000000.0000000E.sdmp, icepdfeditor.exe, 0000001D.00000000.1687836054.0000000000FEA000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://icecreamapps.com/PDF-Editor/upgrade.html?v=%1&t=%2
Source: icepdfeditor.exe, 0000001D.00000003.1826516467.000000000A2F7000.00000004.00000020.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000003.1860500985.000000000A2F6000.00000004.00000020.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000003.1817899487.000000000A2CE000.00000004.00000020.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000003.1867303496.000000000A2F7000.00000004.00000020.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000003.1917400279.000000000A2F7000.00000004.00000020.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000003.1898061898.000000000A2F7000.00000004.00000020.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000003.1893655796.000000000A2F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icecreamapps.com/PDF-Editor/upgrade.html?v=3.27&t=9Ztt_3
Source: icepdfeditor.exe, 00000002.00000000.1138515703.0000000000B87000.00000002.00000001.01000000.00000003.sdmp, icepdfeditor.exe, 00000014.00000000.1365606055.0000000000EE3000.00000002.00000001.01000000.00000003.sdmp, icepdfeditor.exe, 0000001D.00000000.1687836054.0000000001083000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://icecreamapps.com/act/license.php
Source: icepdfeditor.exe, 00000002.00000000.1138515703.0000000000B87000.00000002.00000001.01000000.00000003.sdmp, icepdfeditor.exe, 00000014.00000000.1365606055.0000000000EE3000.00000002.00000001.01000000.00000003.sdmp, icepdfeditor.exe, 0000001D.00000000.1687836054.0000000001083000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://icecreamapps.com/act/license.phphttps://icecreamapps.com/go/license_date.phpInvalid
Source: icepdfeditor.exe, 00000002.00000000.1138515703.0000000000B87000.00000002.00000001.01000000.00000003.sdmp, icepdfeditor.exe, 00000014.00000000.1365606055.0000000000E4A000.00000002.00000001.01000000.00000003.sdmp, icepdfeditor.exe, 0000001D.00000002.1943132606.0000000000FE7000.00000002.00000001.01000000.0000000E.sdmp, icepdfeditor.exe, 0000001D.00000000.1687836054.0000000000FEA000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://icecreamapps.com/go/help.php?prod=pde
Source: icepdfeditor.exe, 0000001D.00000003.1913766286.000000000162B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icecreamapps.com/go/help.php?prod=pdes8
Source: icepdfeditor.exe, 00000002.00000000.1138515703.0000000000B87000.00000002.00000001.01000000.00000003.sdmp, icepdfeditor.exe, 00000014.00000000.1365606055.0000000000EE3000.00000002.00000001.01000000.00000003.sdmp, icepdfeditor.exe, 0000001D.00000000.1687836054.0000000001083000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://icecreamapps.com/go/license_date.php
Source: Patch.exe, 00000013.00000002.2289932697.0000000000401000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: https://icecreamapps.comU
Source: icepdfeditor.exe, 0000001D.00000003.1913766286.000000000162B000.00000004.00000020.00020000.00000000.sdmp, icepdfeditor.exe, 0000001D.00000002.1945397183.0000000001630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://icecreamapps.comq
Source: Patch.exe, Patch.exe, 00000013.00000002.2289932697.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Patch.exe, 00000013.00000002.2329481554.000000000256C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ko-fi.com/radixx11
Source: icepdfeditor.exe, 00000002.00000000.1138515703.0000000000B87000.00000002.00000001.01000000.00000003.sdmp, icepdfeditor.exe, 00000014.00000000.1365606055.0000000000EE3000.00000002.00000001.01000000.00000003.sdmp, icepdfeditor.exe, 0000001D.00000000.1687836054.0000000001083000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://mail.ru
Source: Patch.exe, 00000013.00000002.2329481554.000000000256C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://radixx11rce3.blogspot.com
Source: Patch.exe, 00000013.00000003.2107417937.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1437601534.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1436932557.00000000025E3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: Patch.exe, 00000013.00000003.2107417937.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1437601534.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.exe, 00000015.00000003.1436932557.00000000025E3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: icepdfeditor.exe, 0000001D.00000002.2095573440.000000006C5F0000.00000002.00000001.01000000.00000020.sdmp, icepdfeditor.exe, 0000001D.00000002.2100049924.000000006C681000.00000002.00000001.01000000.0000001F.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.0000000006694000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.00000000060A0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.00000000066EE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.thawte.com/cps0/
Source: pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.0000000006694000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.00000000060A0000.00000004.00001000.00020000.00000000.sdmp, pdf_editor_setup_Downloadly.ir.tmp, 00000019.00000003.1690189697.00000000066EE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.thawte.com/repository0W
Source: icepdfeditor.exe, 00000002.00000000.1138515703.0000000000B87000.00000002.00000001.01000000.00000003.sdmp, icepdfeditor.exe, 00000014.00000000.1365606055.0000000000EE3000.00000002.00000001.01000000.00000003.sdmp, icepdfeditor.exe, 0000001D.00000000.1687836054.0000000001083000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://ya.ru

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.17:49697 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.17:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.17:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.190.159.64:443 -> 192.168.2.17:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.209.154:443 -> 192.168.2.17:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.17:49713 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe

Code function: 19_2_00407EAE OpenClipboard,

19_2_00407EAE

Contains functionality to modify clipboard data

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe

Code function: 19_2_00407F5E SetClipboardData,

19_2_00407F5E

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe

Code function: 19_2_00407C0E GetClipboardData,

19_2_00407C0E

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe

Code function: 19_2_00407BDE GetAsyncKeyState,

19_2_00407BDE

Yara detected Keylogger Generic

Source: Yara match

File source: Process Memory Space: Patch.exe PID: 7148, type: MEMORYSTR

Drops certificate files (DER)

Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe

File created: C:\Users\user\AppData\Local\Icecream\Icecream PDF Editor\sx.dat

Jump to dropped file

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe

Code function: 19_2_00407AE6 NtdllDefWindowProc_A,

19_2_00407AE6

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe	Code function: 19_2_00402364	19_2_00402364
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe	Code function: 19_2_00405E20	19_2_00405E20
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Code function: 29_3_03E69244	29_3_03E69244
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Code function: 29_3_03E69244	29_3_03E69244
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Code function: 29_3_0632F18A	29_3_0632F18A
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Code function: 29_3_03E69244	29_3_03E69244
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Code function: 29_3_03E69244	29_3_03E69244
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Code function: 29_3_06434FE0	29_3_06434FE0
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Code function: 29_3_06434FE0	29_3_06434FE0
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Code function: 29_3_063216CB	29_3_063216CB
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Code function: 29_3_06434FE0	29_3_06434FE0
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Code function: 29_3_06434FE0	29_3_06434FE0

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe	Code function: String function: 00411D24 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe	Code function: String function: 00404D38 appears 69 times

PE file contains executable resources (Code or Archives)

Source: pdf_editor_setup_Downloadly.ir.tmp.21.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: pdf_editor_setup_Downloadly.ir.tmp.21.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: pdf_editor_setup_Downloadly.ir.tmp.24.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: pdf_editor_setup_Downloadly.ir.tmp.24.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-35OOR.tmp.25.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-35OOR.tmp.25.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

PE file does not import any functions

Source: is-JVLRB.tmp.25.dr	Static PE information: No import functions for PE file found
Source: is-6QUBS.tmp.25.dr	Static PE information: No import functions for PE file found
Source: is-2NJ94.tmp.25.dr	Static PE information: No import functions for PE file found
Source: is-GG0V7.tmp.25.dr	Static PE information: No import functions for PE file found
Source: is-U9H98.tmp.25.dr	Static PE information: No import functions for PE file found
Source: is-H0PO3.tmp.25.dr	Static PE information: No import functions for PE file found
Source: is-7BQVT.tmp.25.dr	Static PE information: No import functions for PE file found
Source: is-GM1JG.tmp.25.dr	Static PE information: No import functions for PE file found
Source: is-3K7GS.tmp.25.dr	Static PE information: No import functions for PE file found
Source: is-VE7S6.tmp.25.dr	Static PE information: No import functions for PE file found
Source: is-6T20U.tmp.25.dr	Static PE information: No import functions for PE file found
Source: is-D4QJJ.tmp.25.dr	Static PE information: No import functions for PE file found
Source: is-FTNRU.tmp.25.dr	Static PE information: No import functions for PE file found
Source: is-SP875.tmp.25.dr	Static PE information: No import functions for PE file found
Source: is-MHP3S.tmp.25.dr	Static PE information: No import functions for PE file found
Source: is-EPR7I.tmp.25.dr	Static PE information: No import functions for PE file found
Source: is-PHFLI.tmp.25.dr	Static PE information: No import functions for PE file found
Source: is-0D98S.tmp.25.dr	Static PE information: No import functions for PE file found
Source: is-TH7JO.tmp.25.dr	Static PE information: No import functions for PE file found
Source: is-VLJUB.tmp.25.dr	Static PE information: No import functions for PE file found
Source: is-69TKB.tmp.25.dr	Static PE information: No import functions for PE file found
Source: is-GSK92.tmp.25.dr	Static PE information: No import functions for PE file found
Source: is-NVQPH.tmp.25.dr	Static PE information: No import functions for PE file found
Source: is-NOVTB.tmp.25.dr	Static PE information: No import functions for PE file found
Source: is-OCGTL.tmp.25.dr	Static PE information: No import functions for PE file found
Source: is-5TRC1.tmp.25.dr	Static PE information: No import functions for PE file found
Source: is-4J866.tmp.25.dr	Static PE information: No import functions for PE file found
Source: is-004SO.tmp.25.dr	Static PE information: No import functions for PE file found
Source: is-GJHED.tmp.25.dr	Static PE information: No import functions for PE file found
Source: is-GFA8N.tmp.25.dr	Static PE information: No import functions for PE file found
Source: is-SCUOF.tmp.25.dr	Static PE information: No import functions for PE file found
Source: is-GHL0F.tmp.25.dr	Static PE information: No import functions for PE file found
Source: is-EIH23.tmp.25.dr	Static PE information: No import functions for PE file found
Source: is-TE02E.tmp.25.dr	Static PE information: No import functions for PE file found

Source: is-8A9MI.tmp.25.dr

Static PE information: Section: .qtmimed ZLIB complexity 0.997458770800317

Source: classification engine

Classification label: sus36.winZIP@29/233@10/5

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe

Code function: 19_2_0040A62A GetDiskFreeSpaceA,

19_2_0040A62A

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe

Code function: 19_2_00410616 CoCreateInstance,

19_2_00410616

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe

Code function: 19_2_0041C724 FindResourceA,

19_2_0041C724

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe

File created: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe.BAK

Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Mutant created: NULL
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Mutant created: \Sessions\1\BaseNamedObjects\QtLockedFile mutex c:/users/user/appdata/local/temp/qtsingleapp-icepdf-b4e9-1-lockfile
Source: C:\Windows\System32\Taskmgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\TM.750ce7b0-e5fd-454f-9fad-2f66513dfa1b
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe	Mutant created: \Sessions\1\BaseNamedObjects\Patch.exe_IcecreamAppsPatch_2.3.0.2
Source: C:\Windows\System32\Taskmgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4352:120:WilError_03

Source: Yara match	File source: 19.2.Patch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.2289932697.0000000000401000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDSTO.tmp\pdf_editor_setup_Downloadly.ir.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U6N3.tmp\pdf_editor_setup_Downloadly.ir.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_5947d8bd2f31bedc98f322800cabd2fb85e56117-2.zip\icepdfeditor.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_5947d8bd2f31bedc98f322800cabd2fb85e56117-2.zip\icepdfeditor.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_5947d8bd2f31bedc98f322800cabd2fb85e56117-2.zip\icepdfeditor.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_5947d8bd2f31bedc98f322800cabd2fb85e56117-2.zip\icepdfeditor.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exe"
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exe	Process created: C:\Users\user\AppData\Local\Temp\is-SDSTO.tmp\pdf_editor_setup_Downloadly.ir.tmp "C:\Users\user\AppData\Local\Temp\is-SDSTO.tmp\pdf_editor_setup_Downloadly.ir.tmp" /SL5="$60464,22152334,238080,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exe"
Source: C:\Users\user\AppData\Local\Temp\is-SDSTO.tmp\pdf_editor_setup_Downloadly.ir.tmp	Process created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exe" /SPAWNWND=$10480 /NOTIFYWND=$60464
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exe	Process created: C:\Users\user\AppData\Local\Temp\is-3U6N3.tmp\pdf_editor_setup_Downloadly.ir.tmp "C:\Users\user\AppData\Local\Temp\is-3U6N3.tmp\pdf_editor_setup_Downloadly.ir.tmp" /SL5="$30476,22152334,238080,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exe" /SPAWNWND=$10480 /NOTIFYWND=$60464
Source: C:\Users\user\AppData\Local\Temp\is-3U6N3.tmp\pdf_editor_setup_Downloadly.ir.tmp	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://icecreamapps.com/PDF-Editor/thankyou.html?v=3.27
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1904,i,13854701791661007299,5941582953959067631,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\is-SDSTO.tmp\pdf_editor_setup_Downloadly.ir.tmp	Process created: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe "C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe" -inst
Source: unknown	Process created: C:\Windows\System32\Taskmgr.exe "C:\Windows\system32\taskmgr.exe" /4
Source: unknown	Process created: C:\Windows\System32\Taskmgr.exe "C:\Windows\system32\taskmgr.exe" /4
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exe	Process created: C:\Users\user\AppData\Local\Temp\is-SDSTO.tmp\pdf_editor_setup_Downloadly.ir.tmp "C:\Users\user\AppData\Local\Temp\is-SDSTO.tmp\pdf_editor_setup_Downloadly.ir.tmp" /SL5="$60464,22152334,238080,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDSTO.tmp\pdf_editor_setup_Downloadly.ir.tmp	Process created: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe "C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe" -inst	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exe	Process created: C:\Users\user\AppData\Local\Temp\is-3U6N3.tmp\pdf_editor_setup_Downloadly.ir.tmp "C:\Users\user\AppData\Local\Temp\is-3U6N3.tmp\pdf_editor_setup_Downloadly.ir.tmp" /SL5="$30476,22152334,238080,C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exe" /SPAWNWND=$10480 /NOTIFYWND=$60464	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U6N3.tmp\pdf_editor_setup_Downloadly.ir.tmp	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://icecreamapps.com/PDF-Editor/thankyou.html?v=3.27	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1904,i,13854701791661007299,5941582953959067631,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Icecream PDF Editor 3.lnk.25.dr	LNK file: ..\..\..\..\..\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe
Source: Icecream PDF Editor 3.lnk0.25.dr	LNK file: ..\..\..\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe

Source: is-H1NLV.tmp.25.dr	Static PE information: section name: .didata
Source: is-KV5AF.tmp.25.dr	Static PE information: section name: .00cfg
Source: is-JNCTP.tmp.25.dr	Static PE information: section name: .00cfg
Source: is-T3UFK.tmp.25.dr	Static PE information: section name: .didat
Source: is-KOOGP.tmp.25.dr	Static PE information: section name: _RDATA
Source: is-8A9MI.tmp.25.dr	Static PE information: section name: .qtmimed
Source: is-GKK4N.tmp.25.dr	Static PE information: section name: .qtmetad
Source: is-7CFBI.tmp.25.dr	Static PE information: section name: .qtmetad
Source: is-9D65U.tmp.25.dr	Static PE information: section name: .qtmetad
Source: is-G0A35.tmp.25.dr	Static PE information: section name: .qtmetad
Source: is-UEUJE.tmp.25.dr	Static PE information: section name: .qtmetad
Source: is-D9HS6.tmp.25.dr	Static PE information: section name: .qtmetad
Source: is-G4PS3.tmp.25.dr	Static PE information: section name: .qtmetad
Source: is-POG0R.tmp.25.dr	Static PE information: section name: .qtmetad
Source: is-Q1DIU.tmp.25.dr	Static PE information: section name: .qtmetad
Source: is-PGJGK.tmp.25.dr	Static PE information: section name: .qtmetad
Source: is-MKJLC.tmp.25.dr	Static PE information: section name: .qtmetad
Source: is-TP8U8.tmp.25.dr	Static PE information: section name: .qtmetad
Source: is-FGB9V.tmp.25.dr	Static PE information: section name: .didata
Source: is-7K6P0.tmp.25.dr	Static PE information: section name: .00cfg
Source: is-GUEVQ.tmp.25.dr	Static PE information: section name: .00cfg
Source: is-K9P18.tmp.25.dr	Static PE information: section name: .didat

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe	Code function: 19_2_0041B900 push ecx; mov dword ptr [esp], edx	19_2_0041B905
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe	Code function: 19_2_004080C8 push ecx; mov dword ptr [esp], eax	19_2_004080C9
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe	Code function: 19_2_0041E1AC push ecx; mov dword ptr [esp], edx	19_2_0041E1AD
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe	Code function: 19_2_004243CC push ecx; mov dword ptr [esp], edx	19_2_004243CE
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe	Code function: 19_2_0040F40C push ecx; mov dword ptr [esp], edx	19_2_0040F411
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe	Code function: 19_2_004096C4 push ecx; mov dword ptr [esp], ecx	19_2_004096C9
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe	Code function: 19_2_0041B6BC push ecx; mov dword ptr [esp], eax	19_2_0041B6BD
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe	Code function: 19_2_0041873C push 004187B2h; ret	19_2_004187AA
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe	Code function: 19_2_004188EC push ecx; mov dword ptr [esp], ecx	19_2_004188EF
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe	Code function: 19_2_004039A4 push eax; ret	19_2_004039E0
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe	Code function: 19_2_00419AEC push 00419B39h; ret	19_2_00419B31
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe	Code function: 19_2_0041BB5C push ecx; mov dword ptr [esp], edx	19_2_0041BB61
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe	Code function: 19_2_00418BC8 push ecx; mov dword ptr [esp], ecx	19_2_00418BCA
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe	Code function: 19_2_0040FC56 push 0040FDF3h; ret	19_2_0040FDEB
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe	Code function: 19_2_0041BC7C push ecx; mov dword ptr [esp], edx	19_2_0041BC81
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe	Code function: 19_2_0041BCC0 push ecx; mov dword ptr [esp], edx	19_2_0041BCC5
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe	Code function: 19_2_00406FA6 push 00407003h; ret	19_2_00406FFB
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Code function: 29_3_03E4E6E1 push eax; retf	29_3_03E4E6E2
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Code function: 29_3_03E4E6E9 push ebx; retf	29_3_03E4E6EA
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Code function: 29_3_03E4E6F1 push esp; retf	29_3_03E4E6F2
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Code function: 29_3_03E4E6D1 push ebx; retf	29_3_03E4E6D2
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Code function: 29_3_03E4E6B7 push 58A00628h; retf	29_3_03E4E6CA
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Code function: 29_3_03E4DB38 push E80169C4h; ret	29_3_03E4DB4D
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Code function: 29_3_07208480 pushad ; iretd	29_3_07208489
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Code function: 29_3_063B3DB0 push es; retf	29_3_063B3DB8
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Code function: 29_3_063B3DB0 push es; retf	29_3_063B3DB8
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Code function: 29_3_063B3DB0 push es; retf	29_3_063B3DB8
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Code function: 29_3_03E4E6E1 push eax; retf	29_3_03E4E6E2
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Code function: 29_3_03E4E6E9 push ebx; retf	29_3_03E4E6EA
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Code function: 29_3_03E4E6F1 push esp; retf	29_3_03E4E6F2
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Code function: 29_3_03E4E6D1 push ebx; retf	29_3_03E4E6D2

Source: is-K0S4S.tmp.25.dr	Static PE information: section name: .text entropy: 6.9566713846558015
Source: is-VR24E.tmp.25.dr	Static PE information: section name: .text entropy: 6.9566713846558015

Source: C:\Windows\System32\Taskmgr.exe	Registry key monitored: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Registry key monitored: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-3U6N3.tmp\pdf_editor_setup_Downloadly.ir.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Icecream PDF Editor 3.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDSTO.tmp\pdf_editor_setup_Downloadly.ir.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDSTO.tmp\pdf_editor_setup_Downloadly.ir.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDSTO.tmp\pdf_editor_setup_Downloadly.ir.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDSTO.tmp\pdf_editor_setup_Downloadly.ir.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDSTO.tmp\pdf_editor_setup_Downloadly.ir.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_274f715c8cf38126dbbd4bcae3b6fed8ecedb649.zip\pdf_editor_setup_Downloadly.ir.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U6N3.tmp\pdf_editor_setup_Downloadly.ir.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U6N3.tmp\pdf_editor_setup_Downloadly.ir.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U6N3.tmp\pdf_editor_setup_Downloadly.ir.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U6N3.tmp\pdf_editor_setup_Downloadly.ir.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U6N3.tmp\pdf_editor_setup_Downloadly.ir.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U6N3.tmp\pdf_editor_setup_Downloadly.ir.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U6N3.tmp\pdf_editor_setup_Downloadly.ir.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U6N3.tmp\pdf_editor_setup_Downloadly.ir.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Icecream PDF Editor 3\icepdfeditor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-SDSTO.tmp\pdf_editor_setup_Downloadly.ir.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDSTO.tmp\pdf_editor_setup_Downloadly.ir.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U6N3.tmp\pdf_editor_setup_Downloadly.ir.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U6N3.tmp\pdf_editor_setup_Downloadly.ir.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior

Source: pdf_editor_setup_Downloadly.ir.tmp, 00000016.00000002.1717250638.000000000086B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: pdf_editor_setup_Downloadly.ir.tmp, 00000016.00000002.1717250638.000000000086B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: icepdfeditor.exe, 0000001D.00000002.2035609545.000000006B0BF000.00000008.00000001.01000000.00000015.sdmp	Binary or memory string: j.?AVQEmulationPaintEngine@@
Source: Patch.exe, 00000013.00000002.2320910640.0000000000917000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll)
Source: icepdfeditor.exe, 0000001D.00000002.2035609545.000000006B0BF000.00000008.00000001.01000000.00000015.sdmp	Binary or memory string: .?AVQEmulationPaintEngine@@

Source: Patch.exe, 00000013.00000002.2289932697.0000000000401000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Shell_TrayWndSVW
Source: Patch.exe, Patch.exe, 00000013.00000002.2289932697.0000000000401000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Shell_TrayWnd
Source: Patch.exe, 00000013.00000002.2289932697.0000000000401000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32SV

Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	19_2_00406654
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe	Code function: GetLocaleInfoA,	19_2_0040D2E8
Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_d09ac12e80d793e2bb60f6dc17656721cb8751bf-2.zip\Patch.exe	Code function: GetLocaleInfoA,	19_2_0040D29C

IP	Domain	Country	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.181.228	www.google.com	United States	15169	GOOGLEUS	false
92.223.124.62	cl-2d703670.gcdn.co	Austria	199524	GCOREAT	false
37.58.52.149	icecreamapps.com	Germany	28753	LEASEWEB-DE-FRA-10DE	false

Name	IP	Active
icecreamapps.com	37.58.52.149	true
www.google.com	142.250.181.228	true
cl-2d703670.gcdn.co	92.223.124.62	true
static.icecreamapps.com	unknown	unknown

Name	Malicious	Reputation
https://static.icecreamapps.com/www/images/content/wave_bg.svg	false	unknown
https://static.icecreamapps.com/www/webpack_sprite.css-0c046a40.712f8ffc.svg	false	unknown
https://icecreamapps.com/PDF-Editor/thankyou.html?v=3.27	false	unknown
https://static.icecreamapps.com/www/images/home-page-images/pdf-editor.png	false	unknown
https://static.icecreamapps.com/www/webpack_sprite2-bf5a251c.04e5ea75.svg	false	unknown
https://static.icecreamapps.com/www/images/content/icecreams_bg.svg	false	unknown
https://static.icecreamapps.com/www/images/content/star_bg.svg	false	unknown
https://icecreamapps.com/www/images/content/thank.svg	false	unknown
https://static.icecreamapps.com/www/images/content/header-logo.svg	false	unknown

ID:	1541176
Product:	CloudBasic
Start time:	14:41:52
Start date:	24.10.2024
Sample:	Archive.zip
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	c60cd0df4975d745722d1776d5be95b5
SHA1:	f8e2eb05478108eae1f8fa28f70ebb64163d032d
SHA256:	f1ed181ee30a70c0f71aacf7c592be0e6589421bc479e379109c4c3f572bb663
Filetype:	ZIP compressed archive (8000/1) 99.91%

Windows Analysis Report Archive.zip

Overview

General Information

Detection

Signatures

Classification

Signatures

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
Archive.zip