f574f42aab3c9986f192fc75a434361e510f79ea526c08b886fba1f6c1af7a71

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe
Size

1.4MB
MD5

cceddb47dad13963ae2d664109b3f784
SHA1

50e90f05c5d3da8d68a5b0e3749d3bf6068033d7
SHA256

f574f42aab3c9986f192fc75a434361e510f79ea526c08b886fba1f6c1af7a71
SHA512

a149ac7ed4ff4a6d77fe476be860c15c923e09ec078d8f96c0f9a4f9300d01b2f1ad136c112db1bcfac834c02e66999b29ea0cf318d8c32644f6c519d541e513
SSDEEP

24576:QDhCfuvRglazfWGhJtex/BQOi0jamJuwCTkfM2tqnq+:2hCftazfWoJtexpQn0jawHScMC+

Score

9^/10

evasion spyware stealer trojan

Malware Config

Signatures

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libcef.dll	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

Detects executables containing possible sandbox analysis VM usernames 1 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libcef.dll	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe

Executes dropped EXE 3 IoCs

Processes:

51C9.tmpReader_sl.exeE3C8.tmp

pid process

3708 51C9.tmp
1496 Reader_sl.exe
2276 E3C8.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3708	51C9.tmp
1496	Reader_sl.exe
2276	E3C8.tmp

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe

Drops file in System32 directory 58 IoCs

Processes:

51C9.tmp

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\msvcr120.dll	51C9.tmp
File created	C:\Windows\SysWOW64\InstallShield\setup.exe	51C9.tmp
File opened for modification	C:\Windows\SysWOW64\concrt140.dll	51C9.tmp
File created	C:\Windows\SysWOW64\gnsdk_fp.dll	51C9.tmp
File opened for modification	C:\Windows\SysWOW64\mfc120.dll	51C9.tmp
File created	C:\Windows\SysWOW64\msjet40.dll	51C9.tmp
File created	C:\Windows\SysWOW64\sqlunirl.dll	51C9.tmp
File opened for modification	C:\Windows\SysWOW64\mfc120u.dll	51C9.tmp
File created	C:\Windows\SysWOW64\msjtes40.dll	51C9.tmp
File created	C:\Windows\SysWOW64\msxbde40.dll	51C9.tmp
File created	C:\Windows\SysWOW64\odbcjt32.dll	51C9.tmp
File created	C:\Windows\SysWOW64\ir41_32original.dll	51C9.tmp
File created	C:\Windows\SysWOW64\mfc40.dll	51C9.tmp
File created	C:\Windows\SysWOW64\msorcl32.dll	51C9.tmp
File created	C:\Windows\SysWOW64\hh.exe	51C9.tmp
File created	C:\Windows\SysWOW64\ivfsrc.ax	51C9.tmp
File opened for modification	C:\Windows\SysWOW64\mfc100u.dll	51C9.tmp
File opened for modification	C:\Windows\SysWOW64\mfc110.dll	51C9.tmp
File created	C:\Windows\SysWOW64\acwow64.dll	51C9.tmp
File created	C:\Windows\SysWOW64\olecli32.dll	51C9.tmp
File opened for modification	C:\Windows\SysWOW64\opencl.dll	51C9.tmp
File created	C:\Windows\SysWOW64\AppVEntSubsystems32.dll	51C9.tmp
File created	C:\Windows\SysWOW64\InstallShield\_isdel.exe	51C9.tmp
File created	C:\Windows\SysWOW64\expsrv.dll	51C9.tmp
File created	C:\Windows\SysWOW64\msrd3x40.dll	51C9.tmp
File opened for modification	C:\Windows\SysWOW64\msvcr110.dll	51C9.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_x86_c62e9f8067f98247\I386\PSCRIPT5.DLL	51C9.tmp
File opened for modification	C:\Windows\SysWOW64\mfc140u.dll	51C9.tmp
File opened for modification	C:\Windows\SysWOW64\msvcr100.dll	51C9.tmp
File opened for modification	C:\Windows\SysWOW64\vccorlib120.dll	51C9.tmp
File opened for modification	C:\Windows\SysWOW64\vcomp140.dll	51C9.tmp
File opened for modification	C:\Windows\SysWOW64\atl110.dll	51C9.tmp
File created	C:\Windows\SysWOW64\mspbde40.dll	51C9.tmp
File created	C:\Windows\SysWOW64\msvbvm60.dll	51C9.tmp
File created	C:\Windows\SysWOW64\OneDriveSetup.exe	51C9.tmp
File created	C:\Windows\SysWOW64\mfc40u.dll	51C9.tmp
File opened for modification	C:\Windows\SysWOW64\PrintConfig.dll	51C9.tmp
File opened for modification	C:\Windows\SysWOW64\atl100.dll	51C9.tmp
File created	C:\Windows\SysWOW64\crtdll.dll	51C9.tmp
File created	C:\Windows\SysWOW64\d3dim.dll	51C9.tmp
File created	C:\Windows\SysWOW64\d3dxof.dll	51C9.tmp
File created	C:\Windows\SysWOW64\ir50_32original.dll	51C9.tmp
File created	C:\Windows\SysWOW64\msexch40.dll	51C9.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_360f6f3a7c4b3433\I386\PrintConfig.dll	51C9.tmp
File opened for modification	C:\Windows\SysWOW64\mfc110u.dll	51C9.tmp
File created	C:\Windows\SysWOW64\msvcrt20.dll	51C9.tmp
File created	C:\Windows\SysWOW64\rdvgogl32.dll	51C9.tmp
File created	C:\Windows\SysWOW64\d3d8.dll	51C9.tmp
File created	C:\Windows\SysWOW64\iac25_32.ax	51C9.tmp
File created	C:\Windows\SysWOW64\ir32_32original.dll	51C9.tmp
File opened for modification	C:\Windows\SysWOW64\mfc140.dll	51C9.tmp
File created	C:\Windows\SysWOW64\olesvr32.dll	51C9.tmp
File created	C:\Windows\SysWOW64\sqlwoa.dll	51C9.tmp
File opened for modification	C:\Windows\SysWOW64\mfc100.dll	51C9.tmp
File created	C:\Windows\SysWOW64\msrepl40.dll	51C9.tmp
File created	C:\Windows\SysWOW64\FXSXP32.dll	51C9.tmp
File created	C:\Windows\SysWOW64\mswstr10.dll	51C9.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_x86_c62e9f8067f98247\I386\PS5UI.DLL	51C9.tmp

Drops file in Program Files directory 64 IoCs

Processes:

51C9.tmp2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	51C9.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\EmbeddedBrowserWebView.dll	51C9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe	51C9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\Interceptor.dll	51C9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\SystemX86\concrt140.dll	51C9.tmp
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	51C9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SendMail.api	51C9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL	51C9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libcef.dll	51C9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm.api	51C9.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Temp	2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NPSPWRAP.DLL	51C9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	51C9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\logsession.dll	51C9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	51C9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Accessibility.api	51C9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\xmsrv.dll	51C9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\ReadOutLoud.api	51C9.tmp
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll	51C9.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Backup	2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.181.5\MicrosoftEdgeUpdateCore.exe	51C9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	51C9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE	51C9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OLKFSTUB.DLL	51C9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.dll	51C9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\EScript.api	51C9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso98win32client.dll	51C9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msmdlocal.dll	51C9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\SystemX86\mfc140u.dll	51C9.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	51C9.tmp
File opened for modification	C:\Program Files\7-Zip\7z.sfx	51C9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mfc140u.dll	51C9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\msoshext.dll	51C9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.dll	51C9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PPKLite.api	51C9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ADALPREVIOUS.DLL	51C9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONBttnIELinkedNotes.dll	51C9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvDX9.x3d	51C9.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.181.5\msedgeupdate.dll	51C9.tmp
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	51C9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso30win32client.dll	51C9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MeetingJoinAxOC.dll	51C9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\MSVCR110.DLL	51C9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	51C9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ACE.dll	51C9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	51C9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ExtendScript.dll	51C9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libGLESv2.dll	51C9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\FPWEC.DLL	51C9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\IEAWSDC.DLL	51C9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ScCore.dll	51C9.tmp
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	51C9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SaveAsRTF.api	51C9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\msvcr120.dll	51C9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso50win32client.dll	51C9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONBttnIE.dll	51C9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\STSCOPY.DLL	51C9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\MakeAccessible.api	51C9.tmp
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	51C9.tmp
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll	51C9.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIB.dll	51C9.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	51C9.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_bho.dll	51C9.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\JitV.dll	51C9.tmp

Drops file in Windows directory 64 IoCs

Processes:

51C9.tmp

description	ioc	process
File created	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-advapi32_31bf3856ad364e35_10.0.19041.1052_none_6277ca3070041917_advapi32.dll_9512793c	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroForm.api__NON_OPT	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeCollabSync.exe	51C9.tmp
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\napcrypt\v4.0_10.0.0.0__31bf3856ad364e35\NAPCRYPT.DLL	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\F_CENTRAL_msvcr120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA	51C9.tmp
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data.OracleClient\v4.0_4.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll	51C9.tmp
File created	C:\Windows\WinSxS\Backup\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_c0da534e38c01f4d_comctl32.dll_9c499789	51C9.tmp
File created	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-atl_31bf3856ad364e35_10.0.19041.746_none_936e34e4ece273a7_atl.dll_0c7220db	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100u_x86	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ReadOutLoud.api	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\rt3d.dll	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\MCIMPP.mpp	51C9.tmp
File created	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_10.0.19041.1202_none_2b327e97dbe87a1a_ole32.dll_e9dcc2e3	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.dll	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AGM.dll	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Flash.mpp	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrobroker.exe	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroPDF.dll	51C9.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SC_Reader.ico	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\00006109E70000000100000000F01FEC\16.0.12527\concrt140.dll_x86	51C9.tmp
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\reader_sl.exe	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\SaveAsRTF.api_NON_OPT	51C9.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\XDPFile_8.ico	51C9.tmp
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Ace.dll_NON_OPT	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\drvSOFT.x3d	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\PPKLite.api	51C9.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SecStoreFile.ico	51C9.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\XFDFFile_8.ico	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Multimedia.api_NON_OPT	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\sqlite.dll	51C9.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\PDFFile_8.ico	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.exe	51C9.tmp
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Activities.Compiler.dll	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_atl100_x86	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Bib.dll_NON_OPT	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logsession.dll	51C9.tmp
File created	C:\Windows\WinSxS\Backup\x86_microsoft.windows.isolationautomation_6595b64144ccf1df_1.0.19041.746_none_c33b9b0d5e48a5d2_sxsoa.dll_cb87188c	51C9.tmp
File created	C:\Windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\nppdf32.dll_Apollo	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\WindowsMedia.mpp	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\EScript.api	51C9.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\APIFile_8.ico	51C9.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\FDFFile_8.ico	51C9.tmp
File created	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_6115038ba57fcb33_kerbclientshared.dll_1fa7b356	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_msvcr100_x86	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adobearmhelper.exe.BDCA7721_F290_4124_BBED_7A15FE7694EB	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Annots.api	51C9.tmp
File created	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasautodial_31bf3856ad364e35_10.0.19041.546_none_f827f008f8832bd5_rasautou.exe_477abe34	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Accessibility.api_NON_OPT	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroPDFImpl.dll	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\drvDX9.x3d	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adobearm.exe.BDCA7721_F290_4124_BBED_7A15FE7694EB	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.exe	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\libcef.dll.15EE1C08_ED51_465D_B6F3_FB152B1CC435	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Search.api	51C9.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\PDXFile_8.ico	51C9.tmp
File created	C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\wpfgfx_v0300.dll	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adoberfp.dll	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\F_CENTRAL_vccorlib120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrotextextractor.exe	51C9.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\nppdf32.dll	51C9.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe

pid process

60 2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe

pid	process
60	2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exeReader_sl.exe

description	pid	process	target process
PID 60 wrote to memory of 3708	60	2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe	51C9.tmp
PID 60 wrote to memory of 3708	60	2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe	51C9.tmp
PID 60 wrote to memory of 3708	60	2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe	51C9.tmp
PID 60 wrote to memory of 1496	60	2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe	Reader_sl.exe
PID 60 wrote to memory of 1496	60	2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe	Reader_sl.exe
PID 60 wrote to memory of 1496	60	2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe	Reader_sl.exe
PID 1496 wrote to memory of 2276	1496	Reader_sl.exe	E3C8.tmp
PID 1496 wrote to memory of 2276	1496	Reader_sl.exe	E3C8.tmp
PID 1496 wrote to memory of 2276	1496	Reader_sl.exe	E3C8.tmp

C:\Users\Admin\AppData\Local\Temp\2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_cceddb47dad13963ae2d664109b3f784_icedid.exe"
1⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:60

C:\Users\Admin\AppData\Local\Temp\51C9.tmp
C:\Users\Admin\AppData\Local\Temp\51C9.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3708

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496

C:\Users\Admin\AppData\Local\Temp\E3C8.tmp
C:\Users\Admin\AppData\Local\Temp\E3C8.tmp
3⤵
- Executes dropped EXE
PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

Filesize
4.3MB

MD5
2e24359d248d53d9f7f6f483caa6b46f

SHA1
350a5d1f00d0e81e3f43ccd5262fe1d70ebd9359

SHA256
53995d363466550e932721d6a8428ca39115bc8f65c60dad7d1cb03a1c9eb126

SHA512
af6d216cbca0d5cfb47900bd68806a2f641290f1fae4d2076396a64759e09d25d84a56ddd5e60d77eacf45942a0de6a7a1995a63e832d0d7e5692af1a7648bfc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libcef.dll

Filesize
4.2MB

MD5
1e7883b3d5d986d6c206bf8fbe82703a

SHA1
7fb232f117b9cce4fa46cf01b3175f80f608b4c9

SHA256
230eefaff445c5a3cec7d203a83e231a06b0055b4cfe546758850a56a42e0e58

SHA512
19e7f35c855c8aa4f27fe8e514aca82ee10faadaa3da179b57d5cbc432e44b11a19e1366ae90705f6e052fec91341119efeacfec4947daf67003f271386db2e7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Filesize
3.0MB

MD5
fc82e81a7f006db517ce111ce1a97222

SHA1
36d5e8ec175f89f801ee35d21e3b51dd899407ea

SHA256
753f07eb07f2351c03383eb5439e9a1f5fe97830deea227a15882dd059d95aa4

SHA512
adbdd2298900e877d1fadfe8250a9c116a476560d90cdd7ae4e2d3b541b636233ed55b9720ebdc8b87bf1078705f0a069ccf4a68733f0cbdff0e32a8c913f6de

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogSession.dll

Filesize
661KB

MD5
de13b659bddc800aff8c30a3287fce2e

SHA1
b1123ef83e56a6e2fc10e48b7672c4ec84313309

SHA256
bc389be2f4f9b76b65c0b0322f476dc83a2344d9bd229ee9c782321779d7e65c

SHA512
ecbc2e2a70ed4649b1544eb8117d2f805d7e2d07720b8ac2bf6aa75ca07c1edb82a198189d7202ab0bd1916073a1f5c5ebfb1604948b53d0f2fa4773e143b9a2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe

Filesize
269KB

MD5
783c0172e0819ce66a2368da63254f31

SHA1
a4f6831452d88e5e5fbe24236cf8284d7b1fe8e2

SHA256
e54f157b5e4f4e829d6a1065db98f4448fd8d06c3dd2c3915fad8e0b701d8790

SHA512
943e6dc48b30bf744dffab07a66400822cbbb907ffd43e949c0222ad87ac53dc9e7ca8ca6c05630bd704f2e3c10f88b6c60d0434b74e3ed5aac7116a8fcdb3a3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ace.dll

Filesize
1.3MB

MD5
5983d3d0647fa40a7014a8bac4dc30a2

SHA1
c8b17b38ddbde0c80fa74de57bf408a512aeda5b

SHA256
b7d92592d91bfd0694bf79eef6f622c85994d0c4d56c18102a987fead372b988

SHA512
c8357236dd7ae3f767db986f0350e5cd8c8b6d10321387df6ce5c76e7f11bfad9054663e7c18751a7a23336be54fbdc49dd4ab384dce7d1af32d34f93da5c4fa

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrord32.dll

Filesize
10.1MB

MD5
edeebbeb130247b6abf935f8c71dac03

SHA1
8835a2e175786c1f55f29ac88f026e2c3182dd80

SHA256
8dae780bb89fb48ae7e9dfec7268ca4d8c280e51343889674fa3ac23ee3ddc23

SHA512
838b5ccdcec66d84650072a8d4fb5cd4f749f18139521d0cac2e5e3bf2b9405ba4a32629b14cd75ec7d7a5a1653f9737ae2616e3e609e2ee86b590af6e0f19cc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\agm.dll

Filesize
3.2MB

MD5
2c1e9807cbac878c063aa77dc8017931

SHA1
410eccc8fe172cf2086f61808b5be2611865727b

SHA256
d874d732c2e762c4e57c81cb845db032bd64262dd0fc7502226b76b66ddc6cf0

SHA512
0313c54013ac73d5c2e223a6e40d94274c3ecb8e774cc53d04fe6c42aeb1fa98db0f4a414dff55d7abfa50fc20157efb47a024478c743bc0de182d3fba596ea5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\bib.dll

Filesize
365KB

MD5
10e2a745595a640447d4a18d3f639401

SHA1
5dffb2645a7e9222a669842c2fea495665cc7a98

SHA256
861208ed67b60d08985c92d3d2950b58904532dd06316559ecd4a9f40fe502f5

SHA512
b6e968bd1e7c446f9f0e23c8364441dc9603a2f95fe0beab6c5da96d7f3be488b769573d20d97b0b6f25b5da060e67c2fdd077abf773f3da32af7d67b77ce773

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.dll

Filesize
432KB

MD5
34289391729dcce84f03cc5c749e9e91

SHA1
c3da1d57171df4b1a20d96c7aec6d5cc38fae7f3

SHA256
46f916273ea75e1427eb78f9561e093c70d2a77da3651d6aa9209cf16e78de56

SHA512
5e1f94a9e0ec886333b9ffcd217f7cc99ed9160254714007d23c2542a5706c5b3d1bcf6183513e16656c834d21bb9bacbd2a43b4528e5e953c6a0e649a1a7e3f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\accessibility.api

Filesize
800KB

MD5
581d23f0cc6974e7a72f4ec2bcbf373c

SHA1
0eb038f5f033f778dc4b2cb0c4eda569b2d26e81

SHA256
b7350e217bce7e0f134fc969c22927ac372771489420e6be807b0fbaf456097e

SHA512
e82d0ba42b70ba0a73c2663207f5845e9d4e63a1958289e8e1108c17372294d3b0cc2a43b944a592495987fd87965a5dc9c1e1d9417ad96f64a357da5ad397c8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\acroform.api

Filesize
7.5MB

MD5
45923f488a3d33ad2bef51bca9f1bf6c

SHA1
cbb52059c4efb4eb493258463938d21ffccc73a9

SHA256
627ac7a2cb95de39833ecd85a99c50d7d28ad04c17e7d76787868d8f4aec1e1e

SHA512
ddaf95fc5b7d308259296baed70749dca3d691c93e606dc74fe27e5de822fb81664c1b712563a152aea5e7343530b67c8c8d5dbf4cfdfbf1cc4f17ebad356ce2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\annots.api

Filesize
8.1MB

MD5
bb3e414e0b4352facd6b74354539053b

SHA1
61c243cabc19a356a90aae76def0a9acbca58e6b

SHA256
0ffee064f9b85398846106a1303fa00c8fa80c90bfda47907db8bf611434f199

SHA512
2c9a390e7e2856328d4c5965e048a69a65fc9416b04a4d1ee51eef80a4ce7be037fef8db059c918c4aafd31fc11a93f16c18e25e330cf0a0c0af9f7a40173f28

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\escript.api

Filesize
3.3MB

MD5
dea4b7fd9f65b449156ba1a0abff96c8

SHA1
6115849b19b50fca5f08c2761730a41d18ff8531

SHA256
107cdeff4382a49fb786f5e729acf89d0d9b928f5fec7eabede773232d34fd4e

SHA512
85face9c550c9e92cbe0391e1334e8296b03b36f3647eafb609ef9f35f1a2609de48d2211749ed47a6d4368059732e077d1661b5833f89c676e4ca5436e23cf6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\makeaccessible.api

Filesize
6.6MB

MD5
ead44900110a4c3550afb7dc56cd1257

SHA1
950d574ddd2a9090d3e0ed2cf2c29ff22e553a94

SHA256
8946cd02666d4a95aa5afe04d9a4a04cca31aa456b7bcd30008efb1cdca97273

SHA512
aef4fe3ad12098acd6f5e80a4314298ce6adb071c6d1d0cf059e1e3b36734e5f427f3824d22009313fe90060906779b4029560aac83f665f1e31cec738e16b3a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\multimedia.api

Filesize
1.9MB

MD5
9e3f46ea5418d45f9727dc42ad409382

SHA1
4bb4172c74157dd0cbd99e94d03bc2bf455b8bc0

SHA256
473e43ac0e2e0cf439ed19758261655e887456174c4de8ff7151f53856341093

SHA512
165b9e252a17392ae7df2cc1010c0a6e53f2ed504c9c9d068a92097fe03878cfebdbf22d4a07e038e12aba5d3904a4ed446d02b90fe530c7aa54b2e1c670f89f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe

Filesize
337KB

MD5
f687c28531c2d5e675e88865aba58cde

SHA1
2ac2f0cb2de9ca8ecd18fabdfee1b87240ff4dc6

SHA256
66f77abac52bd4128b16de574cb44773c6fa372a39a0c9849267ddf08e5da56c

SHA512
64a05723a3e0a8a03ee3eff89c00cbe622ee33ff8ca1384b8831cde34bf5be6258155467343dd8a271878af3e80175f6444c31d1dfdd30055d2b6cc95f0d9dcb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\ppklite.api

Filesize
5.2MB

MD5
c469cf994e574907c5b89e89858f2d5c

SHA1
e126b5e882af1d855d64c40a920900abc28b2372

SHA256
509bad8ef89df29ebf123d7cb674c6809d0ab681b4fdae8f40808239fd6881d9

SHA512
70df50ac91a6d959ea07d5c8d96c9981790b6b3a2930a7c0e0d953dccefc33692166e2bed338a75b26874c76726a33345a5f2af7b9d3dea1206ef26483343051

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\readoutloud.api

Filesize
333KB

MD5
a91ada579ff349166e57ba15e275649a

SHA1
f8670562fe1f23b207ef98d39cd4b079dc285c3b

SHA256
7d5c2bce3ef6c128329eafa458ccd69ed17547fe98152e33686323a3c6e151f1

SHA512
1879ad86e47fadefb29c80f1f5bad696c7047cd959c57e3f060c97763f2b03d801fd0500a17ca1b934628823bb5ca3a24487632f85f8190dc328363098f93c6d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\saveasrtf.api

Filesize
738KB

MD5
dc6803df187398e49a437d3241981fac

SHA1
34d55ad8c3fc3b9af83556d403e0f39a8d965bc3

SHA256
7476615f18fd1758c2893ec6a7547a6b4762c0f107d1bd050101eb764bb45fef

SHA512
4c9b54034231d1b8335b9a5dee2239d17fad7baee7b5d24afda987561a22470ba525b988a203af2e108e72dfd24a17d2d435fdb3528965a7dd7780f02cfcea75

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\search.api

Filesize
715KB

MD5
22635b99e64d339673385d91882029c0

SHA1
6b34d68b6ae76f8b781244d6056fdb96a9090e9e

SHA256
a2c97acb906e4440af1b191c1aadf6c1d27b94c56e65fa6b4b6f9af9f9064702

SHA512
359eb3c8c37131389f1d2d1c2579b3e1deaa30ad25b19ee3570af06a1b378e992b24b4d45f2a5cee072fac1963283ce75932d8df9575f72d270bcc79e85312e9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\sendmail.api

Filesize
2.3MB

MD5
84c344f7c6dca5b3a6f728437e294072

SHA1
50100107c98728618d6ce84f2d48a0545389132d

SHA256
d4a9d94acdba34a35798d3a58c60432f6b62751f32462329ee57b299b9ad5d18

SHA512
b0b87c96a915cfae3c309cb093b61d0f22827275b06a009d199b9c1d1bb187b569e1c77b943ea1b7b382270a295c2b0537089f5de2253cf64d24effc7e8fcc5f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sqlite.dll

Filesize
773KB

MD5
e482d8a3ea92516e637dd268a1d415b0

SHA1
2a260dc6155cb931d9314d58d5a57634ffc8e0e8

SHA256
4cf385d1ed09c211d7005a5a5fec9e27067d351f32f2465bf53b117265a6d3f9

SHA512
978944e81237910b5bec740a8cc037ad3e9d3b358ad610d0ddfa53f1af1f652400a100a1983cd5ad0dd23adc9f05bd1840f2b2acbcb0dfd5f309bc5ed618dd61

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

Filesize
716KB

MD5
9e66bc9578483f7293a640842eefc9a4

SHA1
e1bbb104f5ef561ad16a45bb2a3de328d183819b

SHA256
f608ab90a3b35a78e316188adebf2ede3de2f31b7ef80352162ed0bb6d47708f

SHA512
bb6ce214893eb6bc49f7ed62fc69e2dca12a2ebb663a20ea2f42c97c3645a36deccc96c6012bcf4501781e289d34bca2ebb776423ed207de2dae5059d00be4d8

Download Submit
C:\ProgramData\Adobe\ARM\ArmReport.ini

Filesize
746B

MD5
5757246b0746f04f7c6c7685c433d80f

SHA1
910a75876285c35fe0fa03c11f36257aeba8a2b3

SHA256
d33f7174ff6e717d72bfb38cf92e25135823d3d02273bf3f575f95d2afdc12dc

SHA512
8f2f3642154d4f016f7679567cc5879e8d4a794a07b62b9663905406a77aebb111b04032353588719a631d9e5223acf543499ef7f7b36e0e15ec966c638219f4

Download Submit
C:\ProgramData\Adobe\ARM\ArmReport.ini

Filesize
634B

MD5
4600ea83e72c40d5b6d25248895c4d66

SHA1
666d119fa0398adce7093f434fc15437ca6913c5

SHA256
4f9b2f699943dc7a42321fde879d884202e9b3bd8391519cc69bd83d8d485aae

SHA512
08c1e1315bd3be50f47cce09a7b9c36aa38572495cdcbaa1053f6cc14af921437f3972c25d2d5c8df70a5b2e239a62d4cec6b3039de5b99e43b173eab4cb0bc9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D

Filesize
471B

MD5
4830f676f600cf9d09fdcdb96ca7c77c

SHA1
c1ba5a50821f3238835c3fca4ba4fd2cdba78b97

SHA256
04afe041b11b1868bbaa513a984ee924482993e9d20e0c7100c4b0c342a589b3

SHA512
eb734f6358dcda735ef2642ed655bfe7d290dc3dd21ea79bd955bc92afeae4140fca6b0be48334ef2690ef9ea0941466cd6b694839a43e2d9794f01bb5a49543

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_FBEAFB4EE7383EC8E0A3A2C1EC7FCEAC

Filesize
471B

MD5
03b10cd120a7ad034d818cb38a9b72e2

SHA1
44d8d35d66f27eaa794189e41c91485c87adfd93

SHA256
00b4a17783a0397ac68e832e4d0355ca8dc21b4588e9c0fb18d19c05aeb87bb9

SHA512
688c93c3affb5664f0362ab9edf225477d74560edaf20ae0110e7bab23285069cc7d8916937e2f69203b11ad46620f4b347c481c4fedf3c17736231bd9b10ec6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D

Filesize
396B

MD5
e6f503ccf53f992c869aacc384b044f5

SHA1
da6cff535452928ea4822b700dd369969f32e2eb

SHA256
6147ab0059c00c830e211bd1c96c6bd06b200632e67169b210fc77b159f4c617

SHA512
c99e4784be8d2a7652dfb36cf0f17b635f973c360e180328553d399e8d1be64ff7f7c7e5c7e99ccb93a135c802fa44ef29f4afcbce3321273a94543cbab6a714

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_FBEAFB4EE7383EC8E0A3A2C1EC7FCEAC

Filesize
408B

MD5
d59429b25c5b6c638d8e1b4b2040021e

SHA1
3a68217ebcb329a10ae32baff7a28fdde235cbd7

SHA256
0de16911d9adda7d3d5749d79977e6954989a3a0c686c54ed6893d745fb55441

SHA512
8ca65ff84c8133fa5143884ff8dc2f9b00f98c75e58980b54d84a5992747fe095861e285ff988769087904af3bc6d597316c93c374e8292ccfa6217342516cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\51C9.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
C:\Users\Admin\AppData\Local\Temp\ArmUI.ini

Filesize
251KB

MD5
864c22fb9a1c0670edf01c6ed3e4fbe4

SHA1
bf636f8baed998a1eb4531af9e833e6d3d8df129

SHA256
b4d4dcd9594d372d7c0c975d80ef5802c88502895ed4b8a26ca62e225f2f18b0

SHA512
ff23616ee67d51daa2640ae638f59a8d331930a29b98c2d1bd3b236d2f651f243f9bae38d58515714886cfbb13b9be721d490aad4f2d10cbba74d7701ab34e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp8425.tmp

Filesize
3KB

MD5
bbb796dd2b53f7fb7ce855bb39535e2f

SHA1
dfb022a179775c82893fe8c4f59df8f6d19bd2fd

SHA256
ff9b4cf04e3202f150f19c1711767361343935da7841c98b876c42fd2cabce9b

SHA512
0d122f454fcbf4524c2756692f0f33dc98f5bd2426839c6f03cd5c5f4fd507a8a15cf489d7a7ceadd1b95cf31b506c04bf03d613a9ba7d76add92766b1dc5c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpE216.tmp

Filesize
3KB

MD5
ec946860cff4f4a6d325a8de7d6254d2

SHA1
7c909f646d9b2d23c58f73ec2bb603cd59dc11fd

SHA256
19fe53c801ad7edc635f61e9e28d07da31780c2480e6f37ecfc63fffe1b250fe

SHA512
38a98b18dbae063bc533a1ff25a3467a7de197651e07e77a1b22cf8ce251282ab31f61dcff5c51ef186cfd115dc506181d480eabffbe92af01dee6282cbee13e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpE61E.tmp

Filesize
3KB

MD5
a58599260c64cb41ed7d156db8ac13ef

SHA1
fb9396eb1270e9331456a646ebf1419fc283dc06

SHA256
aabf92089e16fdb28706356dbc4efb5a81f5277946f2e67695b31676616ed2d2

SHA512
6970cbc42e7ec64ccdb8e5633b7017b1e9ec0d4ad094869e221e9275b814b1442b84827996190159543bdb5e86df6885c45197c533d657db4660fca8ad761a71

Download Submit
C:\Windows\SysWOW64\msvcr100.dll

Filesize
1.1MB

MD5
47e910d81d9d03933b53552c5d232c93

SHA1
b87bc169bb1fea958c815901684c74eaed667e2d

SHA256
b418b042c12da74bd4678db38f32a50f06425add78d38e87136ee9ee8e5a7150

SHA512
18c688f7af62bd52a39ef751ec45c2c121f290b0322a2376226b06636a8c8eadb5c090318dc9c2c5c0edebbe12785441ed66868366bfb350033246c44ba3f844

Download Submit
C:\Windows\SysWOW64\msvcr110.dll

Filesize
1.2MB

MD5
ba39c0d12dc46abf0d21db6ef5406e79

SHA1
f26448d9ca67eb41b46dd4827bb5386b9011cf23

SHA256
48278fb666d7fd685c1b1243bc00075da1b4a9d4502ec11f876d43a54f774b91

SHA512
979c518116e14e648e043b59e627278739e9e79d2d797054966e8cf3d43e55ce980b392ff6ebc0532fc77bc5be1f71a5545bad7c896e9ff917610f0dcb181ed3

Download Submit
C:\Windows\SysWOW64\msvcr120.dll

Filesize
1.3MB

MD5
ab32c46263768d8453265e1d38516a1d

SHA1
c0740d64fa9e478fcbd98fffce15fd61aa4a8ad7

SHA256
46828b9975856b1194c1b56cf9840de5da2f3c2e0b43677cb2c30bb7ba0faa1b

SHA512
3896de3392d522f340e0131e33718f77e773794853d6c6abd8f00cc0fa712884e71fc0f76e19e1666330115407852f4fc759d283e25d82511c0a89c5c9ea4f36

Download Submit
memory/60-1-0x0000000000B90000-0x0000000000BDA000-memory.dmp

Filesize
296KB

Download
memory/60-0-0x0000000000B90000-0x0000000000BDA000-memory.dmp

Filesize
296KB

Download
memory/1496-320-0x00000000005C0000-0x00000000005F8000-memory.dmp

Filesize
224KB

Download
memory/1496-322-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1496-398-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1496-423-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download