├── README.md ├── LICENSE ├── decrypt_strings_ida.py ├── .gitignore ├── compute_botid_and_regkeys.py ├── icedid_20210507.yar └── icedid_hashes.csv /README.md: -------------------------------------------------------------------------------- 1 | # icedid_analysis 2 | This repository contains analysis scripts, YARA rules, and additional IoCs related to the blog post TBA. 3 | 4 | - `icedid_20210507.yar`: several YARA rules to detect (binary) components of IcedID's infection chain 5 | - `decrypt_strings_ida.py`: example implementation of core string decryption of 2021 IcedID samples using IDAPython / IDA Pro 7.6 6 | - `compute_botid_and_regkeys.py`: computes bot ID and account-specific registry keys for IcedID's global storage 7 | - `icedid_hashes.csv`: list of hashes that match the rules from `icedid_20210507.yar` 8 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 Deutsche Telekom Security GmbH 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /decrypt_strings_ida.py: -------------------------------------------------------------------------------- 1 | import struct 2 | 3 | from malduck import xor 4 | from malduck.bits import rol, ror 5 | 6 | import ida_bytes 7 | 8 | 9 | def generate_round_key(seed): 10 | # .text:0000000180015B00 decrypt_string_shifting proc near ; CODE XREF: decrypt_string+65↑p 11 | # .text:0000000180015B00 ; sub_18000A56C+117↑p ... 12 | # .text:0000000180015B00 lea eax, [rcx+2E59h] 13 | # .text:0000000180015B06 ror eax, 1 14 | # .text:0000000180015B08 ror eax, 1 15 | # .text:0000000180015B0A ror eax, 2 16 | # .text:0000000180015B0D xor eax, 151Dh 17 | # .text:0000000180015B12 rol eax, 2 18 | # .text:0000000180015B15 rol eax, 1 19 | # .text:0000000180015B17 retn 20 | # .text:0000000180015B17 decrypt_string_shifting endp 21 | eax = seed + 0x2E59 22 | eax = ror(eax, 1) 23 | eax = ror(eax, 1) 24 | eax = ror(eax, 2) 25 | eax = struct.unpack("I", xor(struct.pack("I", eax)[0:2], struct.pack("H", 0x151D)) + struct.pack("I", eax)[2:4])[0] 26 | eax = rol(eax, 2) 27 | eax = rol(eax, 1) 28 | return eax 29 | 30 | 31 | def decrypt_string(offset): 32 | b = ida_bytes.get_bytes(offset, 0x200) 33 | str_size = struct.unpack("H", xor(b[4:6], b[0:2]))[0] 34 | xor_key_index = 6 35 | decrypted_string = "" 36 | 37 | seed = ida_bytes.get_dword(offset) 38 | for current_offset in range(str_size): 39 | seed = generate_round_key(seed) 40 | current_dec_chr = b[xor_key_index] ^ (seed & 0xFF) 41 | xor_key_index += 1 42 | decrypted_string += chr(current_dec_chr) 43 | return decrypted_string 44 | 45 | 46 | # This is an example script that implements the core decryption 47 | # algorithm of current IcedID samples. 48 | print(decrypt_string(0x1800208B8)) 49 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | pip-wheel-metadata/ 24 | share/python-wheels/ 25 | *.egg-info/ 26 | .installed.cfg 27 | *.egg 28 | MANIFEST 29 | 30 | # PyInstaller 31 | # Usually these files are written by a python script from a template 32 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 33 | *.manifest 34 | *.spec 35 | 36 | # Installer logs 37 | pip-log.txt 38 | pip-delete-this-directory.txt 39 | 40 | # Unit test / coverage reports 41 | htmlcov/ 42 | .tox/ 43 | .nox/ 44 | .coverage 45 | .coverage.* 46 | .cache 47 | nosetests.xml 48 | coverage.xml 49 | *.cover 50 | *.py,cover 51 | .hypothesis/ 52 | .pytest_cache/ 53 | 54 | # Translations 55 | *.mo 56 | *.pot 57 | 58 | # Django stuff: 59 | *.log 60 | local_settings.py 61 | db.sqlite3 62 | db.sqlite3-journal 63 | 64 | # Flask stuff: 65 | instance/ 66 | .webassets-cache 67 | 68 | # Scrapy stuff: 69 | .scrapy 70 | 71 | # Sphinx documentation 72 | docs/_build/ 73 | 74 | # PyBuilder 75 | target/ 76 | 77 | # Jupyter Notebook 78 | .ipynb_checkpoints 79 | 80 | # IPython 81 | profile_default/ 82 | ipython_config.py 83 | 84 | # pyenv 85 | .python-version 86 | 87 | # pipenv 88 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 89 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 90 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 91 | # install all needed dependencies. 92 | #Pipfile.lock 93 | 94 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow 95 | __pypackages__/ 96 | 97 | # Celery stuff 98 | celerybeat-schedule 99 | celerybeat.pid 100 | 101 | # SageMath parsed files 102 | *.sage.py 103 | 104 | # Environments 105 | .env 106 | .venv 107 | env/ 108 | venv/ 109 | ENV/ 110 | env.bak/ 111 | venv.bak/ 112 | 113 | # Spyder project settings 114 | .spyderproject 115 | .spyproject 116 | 117 | # Rope project settings 118 | .ropeproject 119 | 120 | # mkdocs documentation 121 | /site 122 | 123 | # mypy 124 | .mypy_cache/ 125 | .dmypy.json 126 | dmypy.json 127 | 128 | # Pyre type checker 129 | .pyre/ 130 | -------------------------------------------------------------------------------- /compute_botid_and_regkeys.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | import hashlib 3 | import struct 4 | from malduck.bits import ror 5 | 6 | 7 | def change_endian_of_str(s): 8 | if len(s) == 8: 9 | return s[6:] + s[4:6] + s[2:4] + s[:2] 10 | elif len(s) == 12: 11 | return s[2:4] + s[:2] + s[10:] + s[8:10] + s[6:8] + s[4:6] 12 | else: 13 | return s[2:] + s[:2] 14 | 15 | 16 | def build_reg_key_guid(h): 17 | # {%0.8X-%0.4X-%0.4X-%0.4X-%0.4X%0.8X} 18 | return '{' + f'{change_endian_of_str(h[:8])}-{change_endian_of_str(h[8:12])}-{change_endian_of_str(h[12:16])}-{change_endian_of_str(h[16:20])}-{change_endian_of_str(h[20:])}' + '}' 19 | 20 | 21 | def compute_registry_key(key_name, bot_id): 22 | temp_key = 0x0 23 | for c in key_name: 24 | temp_key = (ord(c) + ror(temp_key, 0xD)) & 0xFFFFFFFF 25 | 26 | xored_bot_id = temp_key ^ bot_id 27 | 28 | md5 = hashlib.md5(key_name.encode()) 29 | md5.update(struct.pack("I", xored_bot_id)) 30 | hashed_key_name = md5.hexdigest().upper() 31 | final_reg_key = build_reg_key_guid(hashed_key_name) 32 | return final_reg_key 33 | 34 | 35 | def fnv32a(string): 36 | hval = 0x811c9dc5 37 | fnv_32_prime = 0x01000193 38 | uint32_max = 2 ** 32 39 | for s in string: 40 | hval = hval ^ ord(s) 41 | hval = (hval * fnv_32_prime) % uint32_max 42 | return hval 43 | 44 | 45 | def compute_bot_id(sid, second_value): 46 | tmp = fnv32a(sid) ^ 0x87EA50BD 47 | bot_id = struct.unpack(">I", struct.pack(">I", tmp))[0] 48 | bot_id_negated = ~tmp + (1 << 32) 49 | return bot_id, bot_id_negated 50 | 51 | 52 | def parse_args(): 53 | parser = argparse.ArgumentParser() 54 | parser.add_argument("SID", 55 | help="SID of local account, e.g. S-1-5-21-1984500107-304187221-49949575") 56 | args = parser.parse_args() 57 | return args 58 | 59 | 60 | def main(): 61 | args = parse_args() 62 | second_value = b'\x91\x06\x2d\x3c' 63 | bot_id = compute_bot_id(args.sid, second_value) 64 | print(f'The bot id for SID {args.sid} is {hex(bot_id[0])} and {hex(bot_id[1])} (negated)') 65 | 66 | # hardcoded in binary, future update maybe required 67 | REGISTRY_KEYS = ["{0ccac395-7d1d-4641-913a-7558812ddea2}", 68 | "{d65f4087-1de4-4175-bbc8-f27a1d070723}", 69 | "{e3f38493-f850-4c6e-a48e-1b5c1f4dd35f}"] 70 | 71 | for k in REGISTRY_KEYS: 72 | print(k, '=>', compute_registry_key(k, bot_id[1])) 73 | 74 | 75 | if __name__ == '__main__': 76 | main() 77 | -------------------------------------------------------------------------------- /icedid_20210507.yar: -------------------------------------------------------------------------------- 1 | rule fake_gzip_bokbot_202104 2 | { 3 | meta: 4 | author = "Thomas Barabosch, Telekom Security" 5 | date = "2021-04-20" 6 | description = "fake gzip provided by CC" 7 | strings: 8 | $gzip = {1f 8b 08 08 00 00 00 00 00 00 75 70 64 61 74 65} 9 | condition: 10 | $gzip at 0 11 | } 12 | 13 | rule win_iceid_gzip_ldr_202104 14 | { 15 | meta: 16 | author = "Thomas Barabosch, Telekom Security" 17 | date = "2021-04-12" 18 | description = "2021 initial Bokbot / Icedid loader for fake GZIP payloads" 19 | strings: 20 | $internal_name = "loader_dll_64.dll" 21 | $string0 = "_gat=" wide 22 | $string1 = "_ga=" wide 23 | $string2 = "_gid=" wide 24 | $string3 = "_u=" wide 25 | $string4 = "_io=" wide 26 | $string5 = "GetAdaptersInfo" 27 | $string6 = "WINHTTP.dll" 28 | $string7 = "DllRegisterServer" 29 | $string8 = "PluginInit" 30 | $string9 = "POST" wide 31 | $string10 = "aws.amazon.com" wide 32 | condition: 33 | 8 of them and $internal_name 34 | } 35 | 36 | rule win_iceid_core_ldr_202104 37 | { 38 | meta: 39 | author = "Thomas Barabosch, Telekom Security" 40 | date = "2021-04-13" 41 | description = "2021 loader for Bokbot / Icedid core (license.dat)" 42 | strings: 43 | $internal_name = "sadl_64.dll" 44 | $string0 = "GetCommandLineA" 45 | $string1 = "LoadLibraryA" 46 | $string2 = "ProgramData" 47 | $string3 = "SHLWAPI.dll" 48 | $string4 = "SHGetFolderPathA" 49 | $string5 = "DllRegisterServer" 50 | $string6 = "update" 51 | $string7 = "SHELL32.dll" 52 | $string8 = "CreateThread" 53 | condition: 54 | 6 of them and $internal_name 55 | } 56 | 57 | rule win_iceid_core_202104 58 | { 59 | meta: 60 | author = "Thomas Barabosch, Telekom Security" 61 | date = "2021-04-12" 62 | description = "2021 Bokbot / Icedid core" 63 | strings: 64 | $internal_name = "fixed_loader64.dll" 65 | $string0 = "mail_vault" wide 66 | $string1 = "ie_reg" wide 67 | $string2 = "outlook" wide 68 | $string3 = "user_num" wide 69 | $string4 = "cred" wide 70 | $string5 = "Authorization: Basic" 71 | $string6 = "VaultOpenVault" 72 | $string7 = "sqlite3_free" 73 | $string8 = "cookie.tar" 74 | $string9 = "DllRegisterServer" 75 | $string10 = "PT0S" wide 76 | condition: 77 | 8 of them and $internal_name 78 | } 79 | -------------------------------------------------------------------------------- /icedid_hashes.csv: -------------------------------------------------------------------------------- 1 | fake_gzip_bokbot_202104, 1c1cfc1a591923c8d6de2bf11072c50e1f45ec56dcc5996dae22b5812715338e 2 | fake_gzip_bokbot_202104, 3049dd8e68561d2582413fa899184ee2d373cb4aff8522b943ddb594698ecdca 3 | fake_gzip_bokbot_202104, 3d1b525ec2ee887bbc387654f6ff6d88e41540b789ea124ce51fb5565e2b8830 4 | fake_gzip_bokbot_202104, 4a16934a0f9ed955209363ce28d458f5f35001dd08b5d8d9b6107a89cf974987 5 | fake_gzip_bokbot_202104, 7ed5f451dffde9f38425c92900ccc2ecb46f3f1aa2645451a1c38f7278da18d6 6 | fake_gzip_bokbot_202104, 91cf231431ef2cc4defc4f1ad3d149c665acc317c4a89e0188f32df259b63cef 7 | fake_gzip_bokbot_202104, a20aa44c39c838a4084a5260450334c2a5d094bdc7d8d0da5eb85bb35b7917c6 8 | fake_gzip_bokbot_202104, c8ca58a0025a7ab633a35fe6e98943c9053ca49b18de55f8b57c8ea7c88e8eb0 9 | fake_gzip_bokbot_202104, f90ddca891da06aece3acf7e63070b4cb7d2c5acc0e52ad73b23ae795befd237 10 | fake_gzip_bokbot_202104, fd21b0c2b3d993cad363f5f68306d46cf06c81af324ec6db79fce49225209650 11 | win_iceid_gzip_ldr_202104, 02f481473dd9ad62738530eb89a3148dde67fdd9bbcc1d8f76138f362d0dadaf 12 | win_iceid_gzip_ldr_202104, 08b8d6ac8d2730db28376e60c0554ef9ce49bfc0cedf685c25fc983f835c6a20 13 | win_iceid_gzip_ldr_202104, 0cf3f34cc5124a74b0cac393b7e7afe307933852a153363d48394d595c5af85f 14 | win_iceid_gzip_ldr_202104, 12b0c054d81fc31e992a95b43926c1aaa759304d25981169c89c5ad657456ff7 15 | win_iceid_gzip_ldr_202104, 14fa116c352ce2322b33e6d038d3a5a0dbee160734d51e1746116139df696209 16 | win_iceid_gzip_ldr_202104, 166cea1761e6b4670a84a1b774e15217cd1b751de27a8c8215adcc6c522d4e3f 17 | win_iceid_gzip_ldr_202104, 194e51acedd4023df2a6c7fd9fd8f7910f1347e85dc61a4052915a002f797290 18 | win_iceid_gzip_ldr_202104, 19cd3f40017c48e9852b79e297c7bbafa87c4020c33e7b6a6fc769dfbe965f2d 19 | win_iceid_gzip_ldr_202104, 1ad161628f05b5dd90209f95b3081e92ed1f92c7b52267fae60d1e646516cf34 20 | win_iceid_gzip_ldr_202104, 1ba983d6eae52057fc30293a7f9c7db85ed2888ef7786b3e6704ed422831d024 21 | win_iceid_gzip_ldr_202104, 27879a3f0713aeaf921a6fe18a7a287c86e4a8aa92bd21f4b204b1bbf9ecd03a 22 | win_iceid_gzip_ldr_202104, 2a378c4d4badf2f2cafdbd02d6facc5596c15de8ebde6a8e18d5f6f93cd3d6a3 23 | win_iceid_gzip_ldr_202104, 3dc3678b2affcae25751a13c8d9cb4c741d04a130d989e416810862bb7bb2251 24 | win_iceid_gzip_ldr_202104, 50883bf80b3a6f357f112caf09b0be461a23f5c0c38810548fdc08345606e4fb 25 | win_iceid_gzip_ldr_202104, 50d9a3055e3260d51df8eca46c955b2cbf197830960df04cc9737bb34ab2395c 26 | win_iceid_gzip_ldr_202104, 512bf1fbe3f70f927e8dd96c36aba66a0278ab1e2c35d8452c5229f64e5a2ded 27 | win_iceid_gzip_ldr_202104, 66050a629a11e637841d5fe8a967bf383f59283d7df3897ade3aabfa5b62d984 28 | win_iceid_gzip_ldr_202104, 7459e88626a90b52c3392a14734d00a5238edbf13c61907f39326df2d4c3f922 29 | win_iceid_gzip_ldr_202104, 78d1e981d0bbab1ba77ce030cdf8dda1a73ae1f86dd2e3fff1bf0f9ceb03482e 30 | win_iceid_gzip_ldr_202104, 7d5b21b66c42342b549da82ee665ec25f8feb86d9645ddb97eab8687491bd43f 31 | win_iceid_gzip_ldr_202104, 8286462829309c3b7c759d9f924c092f321c57ddbe35bf5683891032f3792d10 32 | win_iceid_gzip_ldr_202104, 8546fadd4beefeb13d1e3e338933fcfdad22f5bd0ca545504a07ecbde404b758 33 | win_iceid_gzip_ldr_202104, 89045a2f280f7b515542d67911f4f247cf2d2c032d3fa148c6afb8010f5dfb26 34 | win_iceid_gzip_ldr_202104, 8ba1e5eee3a0264e8ff37c37e28f7d37d02ec4fe7ba21a1c643e0d978289888c 35 | win_iceid_gzip_ldr_202104, 9324339e67c823c03c341b8e82da4fe0812f30d048c912123843456e452859eb 36 | win_iceid_gzip_ldr_202104, b267b4e8c07669d786603338f61d1db9b6aea67e54e50d40c800963f7c054e9b 37 | win_iceid_gzip_ldr_202104, b2e12b7a8bd7a8a3eac900d5410ac1a0c0eef7fb54863bd9e0fb6417841e29db 38 | win_iceid_gzip_ldr_202104, b439dba49bbfb1abfad780b8f7a76bf13105b89d506522f01986d0e4202ddb2c 39 | win_iceid_gzip_ldr_202104, b7623a9e1ef71dc167d64fcb8c6cc3140387e255c8ea5b088f363502d64741bb 40 | win_iceid_gzip_ldr_202104, bbd624494360e61ef69c945cd81fc4c168b43385d8f238773cf841eb18e21fdc 41 | win_iceid_gzip_ldr_202104, c335351be995d99cd1980392ea620e187f786d3a7bba31ffc6e6f27689b11a95 42 | win_iceid_gzip_ldr_202104, c9385387cd3c85c17d093f4d7e5ae5850316aa09c66beaef620b946bb159e563 43 | win_iceid_gzip_ldr_202104, c986329a0c07b43db84de9551bde7d7e12faf7af61fd09c1ea2d70344b5120bc 44 | win_iceid_gzip_ldr_202104, cc9c6154dcc1b64c6eea577f48f7611064e82a9dc03817a2adb936286d604a7f 45 | win_iceid_gzip_ldr_202104, d00bfb0c585d842113b85d03a479c632a2c76a23ad1121cf6e55f573ce1fbd11 46 | win_iceid_gzip_ldr_202104, db999c0d62d4fc529d560c578ae1a73ac12d02f4cb3ae89795e12e847b691613 47 | win_iceid_gzip_ldr_202104, fad1544e9907cf6ececb0cd9b7dea61e8e7b695cf214af012d8ecad891973879 48 | win_iceid_gzip_ldr_202104, fceccdeff5ec46186dfaf138f3aaf3d0e26b2f845b6345b3f19bca2130d951b5 49 | win_iceid_gzip_ldr_202104, fe4e4be9e24350dff811410ed7e0d87d14b3f3595b7fd1ea7f4be23dc04d6904 50 | win_iceid_main_202104, 21b1a635db2723266af4b46539f67253171399830102167c607c6dbf83d6d41c 51 | win_iceid_main_202104, 229b4330fcb185781ded70e6c1206fd12475dc6e113b97bf7e78bf8a230cc318 52 | win_iceid_main_202104, 5dcbb03420e7d6224c4a4e6ac3993d08548cbedf43385988832eb9ae281abf31 53 | win_iceid_main_202104, 66b6a55b67c0201a02dbdc4a2ef3c3f2d57aaadbbefa61c1bcdb59b96fb86743 54 | win_iceid_main_202104, 6cb407bedcc0fb43c5593985a704c9a51066a853eb1b5f2a037d04144185d849 55 | win_iceid_main_202104, af0ac4120929fe98f90d419f3f4ee4a987d021946d070b6c55196b05a14cd1e6 56 | win_iceid_main_202104, b41073e0e1359485456fda28b5157e13af3889a9ee2710d7c6975d36ecc61905 57 | win_iceid_main_202104, b7190de447a0310bfa97789d26a0a8ee2fed2851934bcc3f2806eddbd28bcac0 58 | win_iceid_main_202104, d45b3f9d93171c29a51f9c8011cd61aa44fcb474d59a0b68181bb690dbbf2ef5 59 | win_iceid_main_202104, d5d5958e21d6fb51e8afa634dda92e7ea3b208108348f8ff8fa8ec7c4fc2df8b 60 | win_iceid_main_202104, de92f36de5436bf92381ac9774fe7c9ad169e70757ffcbc5b453515a06d740c9 61 | win_iceid_main_ldr_202104, 0699184d4a3898a38c8bb31b782bb0125d8dba00d587e11a58b0dc0b5ceaa9cd 62 | win_iceid_main_ldr_202104, 083bce0f0881318063812bd997886b79403b198cc770788dea2f32b6eb4a42ff 63 | win_iceid_main_ldr_202104, 0be8d10ce9fbcbb4e33b71ceec1ba116f361c37f710d32f653c55719da2ccf5f 64 | win_iceid_main_ldr_202104, 1539e7dbf80a7bc4e5a453fe977ee5884c151986a2983958ec0c5f4e0d948f4f 65 | win_iceid_main_ldr_202104, 178081cade2e91a235537e12eaa02f673c3f1e9032881d81b74dd65530ec0bb3 66 | win_iceid_main_ldr_202104, 1ff89548a9276710535977ca303d1172c3c23fdc0ac1e21628a5d1593ad99781 67 | win_iceid_main_ldr_202104, 275ee779844c74c5c7e6d81fdb2e239acb5cdaaae6a049b3352adce09314c3c8 68 | win_iceid_main_ldr_202104, 27dee6f82918479ee2ee60a214bcef0bc9cd9a24193cd9b6281752fa0ff728cb 69 | win_iceid_main_ldr_202104, 28465e697071f60f2745437ce6bf7be4a7815cbb0c15f730fc64592c8e71a3ef 70 | win_iceid_main_ldr_202104, 29dd16e8dc3c855562172aebb910e8e56e5c25eacd5ba3e4f310bc6a00520d75 71 | win_iceid_main_ldr_202104, 2b390d828ad9c35230fa0ef90baa958d3d16620d9313bf20f55ca2c7052a3ea8 72 | win_iceid_main_ldr_202104, 2c72cbe7352624c48e2b915b6cea3c5438cd202a28daecb27aded30edefc63c5 73 | win_iceid_main_ldr_202104, 2cc01933d2a4542821a1400e5ddd61bd8678d4ee0933817d6abbbd08c5e9b74c 74 | win_iceid_main_ldr_202104, 2dd48da60505a9eab7327d98da1b4f18297af4d90fdce43373e858c3ae98c067 75 | win_iceid_main_ldr_202104, 30e435d5e62fe4d2f2134aef71f2ca293dcdfb469ead2bb91934186daba202b5 76 | win_iceid_main_ldr_202104, 34b17ada8e494fa31ed79c9ebcf0111224fb0a69231a427ae84562f5627c4d8b 77 | win_iceid_main_ldr_202104, 386eacdb0859abd2cc0701234928076b65f638c973996b7aadea0f11e3551509 78 | win_iceid_main_ldr_202104, 42fa313831b18f9db44dcbcbff32cea051310b7fa41d41166deee76c2a3d7eae 79 | win_iceid_main_ldr_202104, 453ce66c651aab2725bc2efe67cbba63c001d118672eaa784230f618455af788 80 | win_iceid_main_ldr_202104, 45ecbaabd892c487855fe8be621ce01072af532e801886a9dbc93195526d28f2 81 | win_iceid_main_ldr_202104, 48532db641ed61a1e144de0a390081afc0fd791a9c3aef758dd214f78c468157 82 | win_iceid_main_ldr_202104, 49be4934e3fcb3778714e2f17abd418579ddad206b90c77327a46710e54e5f37 83 | win_iceid_main_ldr_202104, 544b6465c811149090e5e0d69aac4bfb993f7e78fe9f4bcf492b6eaf3d730b9f 84 | win_iceid_main_ldr_202104, 5a432e52b1e530cc35cd01dd190621093f3326bcba77083aebacc5a4a42471f9 85 | win_iceid_main_ldr_202104, 61d3cf7cb176fc25bd005c2dc941d31407bbced9c4dabb6bd66bb2baaaf4e027 86 | win_iceid_main_ldr_202104, 64053208c58e0ca4f7a4b493436e62438b3f0f5ed96d3e9192419ae60b0a1b99 87 | win_iceid_main_ldr_202104, 6770199312a47a728c9e331844108334c69e364544aa336cb514bd20dd6a118f 88 | win_iceid_main_ldr_202104, 6a4dd0fb5ab2fce8fbfb98d7848d1c1934c4464418e5cc97da6a3f1c774c5a7a 89 | win_iceid_main_ldr_202104, 7051f30a6b9c7826f017faf69fe52c6e28c71af1ef5e1dbaae9c6f8a885019a7 90 | win_iceid_main_ldr_202104, 732afcba370f7e9730623aa6e8eb0d36c7d33bc0e49eed03785cdc2a9989fa48 91 | win_iceid_main_ldr_202104, 734be88aa4b7595a91b3dbda90c73856599764d31b20b00d0ac4ddffbe699214 92 | win_iceid_main_ldr_202104, 735c6b7461b12b012290b82a437a001456d6d518ae651321428bc8fcb799558f 93 | win_iceid_main_ldr_202104, 7501eb216d02bbe90e357cfd46b0066ba7fa7e2b37b2c6904c5a9ca225a9f1ac 94 | win_iceid_main_ldr_202104, 798e6729b55c3229a714958027601ad53667b4248081a41e0c98f93b18bd3056 95 | win_iceid_main_ldr_202104, 8301c177db142c3062ed9e7fe6fe2b519d4d184770d9c0689417f5ae4619c4d1 96 | win_iceid_main_ldr_202104, 8a1a1f6f0c146ea5ea8b7007c45c0b411f832b6524517b7e1c7a170429c526fd 97 | win_iceid_main_ldr_202104, 8e79254a4a6384dbdc57c3520ce9c93694d4ce1f07251187039afaf134c1c48f 98 | win_iceid_main_ldr_202104, 8f0aff5920d87c5e9b489b39564e9c5aedd2fb47e4a995d85ae5024baa89d661 99 | win_iceid_main_ldr_202104, 92a9833857288910df920d075dd9bc4d922d52af207d5952184a65237ecd65bf 100 | win_iceid_main_ldr_202104, 97f80c347f8a8813704d76d5b351b4a1b986821a1c44ed95ad4e0c4c93f6ab6e 101 | win_iceid_main_ldr_202104, 98e4ef2e7ece8065b46d67c6a5b40751be8966d26badc9293fccd60bf4d2a61e 102 | win_iceid_main_ldr_202104, 99ad193049c03f300ae8c485e017f53371b96306c3a077842896a65cc687c855 103 | win_iceid_main_ldr_202104, 9bb1533b996d15fcf577db9458a9454bd7115f3f7b60ada6f2869aff8cab1e86 104 | win_iceid_main_ldr_202104, 9bc81912dedb0f050afc6fc6e3b6bef565eec74a628ba32d63d19411d2ce6974 105 | win_iceid_main_ldr_202104, 9d623286d001eaf2a31b8c91e38b003fbdff5e7cd8bbde29bc69c19308611e50 106 | win_iceid_main_ldr_202104, 9d9d42372abdff2febedec520d191a28e7310c48fc5c68d7ee2419d6881b259e 107 | win_iceid_main_ldr_202104, 9eddf7052f14acb641788471fb1343714c0351544b6d52d1ade67e6cd7109075 108 | win_iceid_main_ldr_202104, a6907cbe8bf2d46cfabe8635c1863dec72b4d4a318dc8e0e52a6ca7deb69d8de 109 | win_iceid_main_ldr_202104, a6975ae6fd4f3b07a7af4cc7c5f8a49aa0249ed3f11013c8487f484e6bb59b36 110 | win_iceid_main_ldr_202104, a954753d17d4a285b3a9a262f21b93b80f0625956baa1dbf9a19e90b46432920 111 | win_iceid_main_ldr_202104, ad435db375665d157aed16ba8b51735b65ac6aee86864da78408b44c9d85093b 112 | win_iceid_main_ldr_202104, b8002a96e4dd9e64c61ba0ddefa9cac0aa6693f143a29a4ca1da23b9d0ee7c08 113 | win_iceid_main_ldr_202104, b86d0a12eb72af0690a6293e6a2815161aec4c6837c8f9c93effcd4e249759ee 114 | win_iceid_main_ldr_202104, c04101f36a7d1498379ff6abb2218a2730ad896908e525cd3664ea5cc4a56a18 115 | win_iceid_main_ldr_202104, c28896df6bb0a0cc60bead05c37c8ecc9d93ef5e04853e75f0be8e170eb6208c 116 | win_iceid_main_ldr_202104, c64aa3ceb9bd50620c4a5ba59d117eb9be6a2dff8bfdabcd1611562d5d2c8b67 117 | win_iceid_main_ldr_202104, cccc59bb80ee4003e60632ef75835efe3a5ef2cdf762f6da95f5610f0647d3c1 118 | win_iceid_main_ldr_202104, ceb2884e438fe809559820acb52eb09298b4dfddf222e9b4f550476537c5c3d4 119 | win_iceid_main_ldr_202104, d1506428276269e333d30752ddd3300c6f102e39144b890b0864d7a5ab9acf74 120 | win_iceid_main_ldr_202104, d68afdb539f23b0b2d9d631a1279d0a2d276e0e79fd5398f76c550acf78f5f6e 121 | win_iceid_main_ldr_202104, d958b83ddb4cdaca115b0edf9c91ff38e0729d2030fc789df0dfc53c54ce2309 122 | win_iceid_main_ldr_202104, d98b0869dff3ee90dc4d0eed08a7de08209ec3e2c99cd72f9175380647dcb530 123 | win_iceid_main_ldr_202104, df42fbff0dc3b8f7609d139c8d469c96177aee08463927db9b97c179f3f15cdb 124 | win_iceid_main_ldr_202104, e0215f25932d9c0023fa7d1138805e124ec77ecd1175caa7791f4b8b42570c04 125 | win_iceid_main_ldr_202104, e3033a82b2089affd064d474437530c3c9ec8c0fd0155771961adb69ab89a1c4 126 | win_iceid_main_ldr_202104, e338189c2f00398717fcac0bcd0e82eafe351ea0fc4b9072db9d415ed031aa59 127 | win_iceid_main_ldr_202104, e5a0e4fd89fdc22a36fddc5f3cff31e08317c5bd1287c715a45433c35741ad7d 128 | win_iceid_main_ldr_202104, e5e7fae9b40723fd9ed18f4e776b2cdb8a873c694e07fe5b3dd8312b227152d5 129 | win_iceid_main_ldr_202104, e6a942d6dbda4afe76d962d2a70dad618b38e20c57df4c53f5a514cf645391ac 130 | win_iceid_main_ldr_202104, ef7d068c6d07e49381a24fe2e4f9da3c1fbb0ac5cc6523adc55eb53ce1a785e8 131 | win_iceid_main_ldr_202104, f2481cf56b15a38f7d2d95c5067b60c2b9a65b65381b357d964d6f752c974d6a 132 | win_iceid_main_ldr_202104, fb5e215048521c92d3308ddd378c0bed02aa04e1f67aa28660d2c4b3f600ba67 133 | --------------------------------------------------------------------------------