1b78fd9585aeef7187b489b8c63f46c0d3a4eac9fcfb81bbe8100734f42acf64

Analysis

max time kernel
143s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23/04/2024, 20:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-23_6b232332911a4e13e22557d3ebd80ed5_icedid.exe
Size

1.4MB
MD5

6b232332911a4e13e22557d3ebd80ed5
SHA1

619cff5191948738ffec6a58fad3247ffb1dd7e1
SHA256

1b78fd9585aeef7187b489b8c63f46c0d3a4eac9fcfb81bbe8100734f42acf64
SHA512

83bf169ac3f55eabcddaaea60622bcc85f119f27e95c5dd5cf57aeac58404094a2dd113b0d8f8b82770f341ff5f0ee53a36e7bc60c7717a4a050b8859775f4fb
SSDEEP

12288:t+BrfX/xlovItOjf9G4fHKmY1/HUbEIuqo/ueFYC3YW4TQb6iS3cyabTJJhti/Vl:wBrfX/xSvf9SZ11ueGCIniajabLj+cJ

Score

9^/10

evasion spyware stealer trojan

Malware Config

Signatures

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs

resource	yara_rule
behavioral2/files/0x000400000002035d-502.dat	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

Detects executables containing possible sandbox analysis VM usernames 1 IoCs

resource	yara_rule
behavioral2/files/0x000400000002035d-502.dat	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	2024-04-23_6b232332911a4e13e22557d3ebd80ed5_icedid.exe

Executes dropped EXE 3 IoCs

pid	Process
2308	3856.tmp
760	Reader_sl.exe
4228	B120.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-04-23_6b232332911a4e13e22557d3ebd80ed5_icedid.exe

Drops file in System32 directory 58 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\atl100.dll	3856.tmp
File created	C:\Windows\SysWOW64\msexch40.dll	3856.tmp
File created	C:\Windows\SysWOW64\msvbvm60.dll	3856.tmp
File created	C:\Windows\SysWOW64\sqlunirl.dll	3856.tmp
File created	C:\Windows\SysWOW64\d3dxof.dll	3856.tmp
File created	C:\Windows\SysWOW64\msorcl32.dll	3856.tmp
File opened for modification	C:\Windows\SysWOW64\msvcr100.dll	3856.tmp
File opened for modification	C:\Windows\SysWOW64\msvcr120.dll	3856.tmp
File opened for modification	C:\Windows\SysWOW64\vcomp140.dll	3856.tmp
File created	C:\Windows\SysWOW64\ivfsrc.ax	3856.tmp
File created	C:\Windows\SysWOW64\olecli32.dll	3856.tmp
File created	C:\Windows\SysWOW64\olesvr32.dll	3856.tmp
File opened for modification	C:\Windows\SysWOW64\opencl.dll	3856.tmp
File created	C:\Windows\SysWOW64\FXSXP32.dll	3856.tmp
File opened for modification	C:\Windows\SysWOW64\mfc100.dll	3856.tmp
File created	C:\Windows\SysWOW64\mfc40.dll	3856.tmp
File created	C:\Windows\SysWOW64\InstallShield\setup.exe	3856.tmp
File opened for modification	C:\Windows\SysWOW64\concrt140.dll	3856.tmp
File opened for modification	C:\Windows\SysWOW64\mfc110.dll	3856.tmp
File created	C:\Windows\SysWOW64\mfc40u.dll	3856.tmp
File created	C:\Windows\SysWOW64\OneDriveSetup.exe	3856.tmp
File created	C:\Windows\SysWOW64\rdvgogl32.dll	3856.tmp
File opened for modification	C:\Windows\SysWOW64\atl110.dll	3856.tmp
File created	C:\Windows\SysWOW64\ir41_32original.dll	3856.tmp
File opened for modification	C:\Windows\SysWOW64\mfc120u.dll	3856.tmp
File created	C:\Windows\SysWOW64\msrepl40.dll	3856.tmp
File opened for modification	C:\Windows\SysWOW64\msvcr110.dll	3856.tmp
File created	C:\Windows\SysWOW64\sqlwoa.dll	3856.tmp
File opened for modification	C:\Windows\SysWOW64\vccorlib120.dll	3856.tmp
File created	C:\Windows\SysWOW64\d3d8.dll	3856.tmp
File created	C:\Windows\SysWOW64\AppVEntSubsystems32.dll	3856.tmp
File created	C:\Windows\SysWOW64\msrd3x40.dll	3856.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_x86_c62e9f8067f98247\I386\PSCRIPT5.DLL	3856.tmp
File created	C:\Windows\SysWOW64\acwow64.dll	3856.tmp
File opened for modification	C:\Windows\SysWOW64\mfc100u.dll	3856.tmp
File created	C:\Windows\SysWOW64\iac25_32.ax	3856.tmp
File created	C:\Windows\SysWOW64\ir32_32original.dll	3856.tmp
File opened for modification	C:\Windows\SysWOW64\mfc140.dll	3856.tmp
File created	C:\Windows\SysWOW64\mswstr10.dll	3856.tmp
File created	C:\Windows\SysWOW64\crtdll.dll	3856.tmp
File created	C:\Windows\SysWOW64\d3dim.dll	3856.tmp
File created	C:\Windows\SysWOW64\expsrv.dll	3856.tmp
File created	C:\Windows\SysWOW64\hh.exe	3856.tmp
File created	C:\Windows\SysWOW64\msvcrt20.dll	3856.tmp
File created	C:\Windows\SysWOW64\msxbde40.dll	3856.tmp
File created	C:\Windows\SysWOW64\InstallShield\_isdel.exe	3856.tmp
File created	C:\Windows\SysWOW64\mspbde40.dll	3856.tmp
File created	C:\Windows\SysWOW64\odbcjt32.dll	3856.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_360f6f3a7c4b3433\I386\PrintConfig.dll	3856.tmp
File created	C:\Windows\SysWOW64\gnsdk_fp.dll	3856.tmp
File created	C:\Windows\SysWOW64\msjet40.dll	3856.tmp
File created	C:\Windows\SysWOW64\msjtes40.dll	3856.tmp
File opened for modification	C:\Windows\SysWOW64\PrintConfig.dll	3856.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_x86_c62e9f8067f98247\I386\PS5UI.DLL	3856.tmp
File created	C:\Windows\SysWOW64\ir50_32original.dll	3856.tmp
File opened for modification	C:\Windows\SysWOW64\mfc110u.dll	3856.tmp
File opened for modification	C:\Windows\SysWOW64\mfc120.dll	3856.tmp
File opened for modification	C:\Windows\SysWOW64\mfc140u.dll	3856.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSO.DLL	3856.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\Mso30win32client.dll	3856.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\FPSRVUTL.DLL	3856.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONBttnIE.dll	3856.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	3856.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	3856.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\adoberfp.dll	3856.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ScCore.dll	3856.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annots.api	3856.tmp
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	3856.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	3856.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvSOFT.x3d	3856.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Temp	2024-04-23_6b232332911a4e13e22557d3ebd80ed5_icedid.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\xmsrv.dll	3856.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIB.dll	3856.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia90.dll	3856.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll	3856.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\Mso98win32client.dll	3856.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\FPWEC.DLL	3856.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL	3856.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe	3856.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\msvcr120.dll	3856.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\SystemX86\mfc140u.dll	3856.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	3856.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGM.dll	3856.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	3856.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvDX9.x3d	3856.tmp
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	3856.tmp
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll	3856.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\URLREDIR.DLL	3856.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	3856.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll	3856.tmp
File opened for modification	C:\Program Files\7-Zip\7z.sfx	3856.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\mfc140u.dll	3856.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\JitV.dll	3856.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONBttnIELinkedNotes.dll	3856.tmp
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	3856.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	3856.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_bho.dll	3856.tmp
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll	3856.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	3856.tmp
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdate.dll	3856.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\MSVCR110.DLL	3856.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIDE.dll	3856.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\d3dcompiler_43.dll	3856.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\EScript.api	3856.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OCHelper.dll	3856.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	3856.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NAME.DLL	3856.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONLNTCOMLIB.DLL	3856.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OWSCLT.DLL	3856.tmp
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	3856.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\logsession.dll	3856.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SendMail.api	3856.tmp
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	3856.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ONNXRuntime-0.5.X.dll	3856.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.dll	3856.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll	3856.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msolui.dll	3856.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHEV.DLL	3856.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dll	3856.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\Interceptor.dll	3856.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\PPSLAX.DLL	3856.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ExtendScript.dll	3856.tmp

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-advapi32_31bf3856ad364e35_10.0.19041.1052_none_6277ca3070041917_advapi32.dll_9512793c	3856.tmp
File created	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_10.0.19041.1202_none_2b327e97dbe87a1a_ole32.dll_e9dcc2e3	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrobroker.exe	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroForm.api__NON_OPT	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\libcef.dll.15EE1C08_ED51_465D_B6F3_FB152B1CC435	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\nppdf32.dll	3856.tmp
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll	3856.tmp
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data.OracleClient\v4.0_4.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_msvcr100_x86	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.dll	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrotextextractor.exe	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Bib.dll_NON_OPT	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\drvDX9.x3d	3856.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\XDPFile_8.ico	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroPDF.dll	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\nppdf32.dll_Apollo	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\PPKLite.api	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ReadOutLoud.api	3856.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\PDFFile_8.ico	3856.tmp
File created	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-atl_31bf3856ad364e35_10.0.19041.746_none_936e34e4ece273a7_atl.dll_0c7220db	3856.tmp
File created	C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100u_x86	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adobearm.exe.BDCA7721_F290_4124_BBED_7A15FE7694EB	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Annots.api	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\F_CENTRAL_vccorlib120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.exe	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\00006109E70000000100000000F01FEC\16.0.12527\concrt140.dll_x86	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\SaveAsRTF.api_NON_OPT	3856.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\FDFFile_8.ico	3856.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SecStoreFile.ico	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AGM.dll	3856.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SC_Reader.ico	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adobearmhelper.exe.BDCA7721_F290_4124_BBED_7A15FE7694EB	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Search.api	3856.tmp
File created	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_6115038ba57fcb33_kerbclientshared.dll_1fa7b356	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeCollabSync.exe	3856.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\APIFile_8.ico	3856.tmp
File created	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasautodial_31bf3856ad364e35_10.0.19041.546_none_f827f008f8832bd5_rasautou.exe_477abe34	3856.tmp
File created	C:\Windows\WinSxS\Backup\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_c0da534e38c01f4d_comctl32.dll_9c499789	3856.tmp
File created	C:\Windows\WinSxS\Backup\x86_microsoft.windows.isolationautomation_6595b64144ccf1df_1.0.19041.746_none_c33b9b0d5e48a5d2_sxsoa.dll_cb87188c	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adoberfp.dll	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\QuickTime.mpp	3856.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\XFDFFile_8.ico	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100_x86	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Ace.dll_NON_OPT	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrocef.exe.15EE1C08_ED51_465D_B6F3_FB152B1CC435	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\drvSOFT.x3d	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Flash.mpp	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\MCIMPP.mpp	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\reader_sl.exe	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\SendMail.api	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\sqlite.dll	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logsession.dll	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Multimedia.api_NON_OPT	3856.tmp
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Activities.Compiler.dll	3856.tmp
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\napcrypt\v4.0_10.0.0.0__31bf3856ad364e35\NAPCRYPT.DLL	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\WindowsMedia.mpp	3856.tmp
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll	3856.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\PDXFile_8.ico	3856.tmp
File created	C:\Windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_atl100_x86	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroPDFImpl.dll	3856.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\EScript.api	3856.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	2024-04-23_6b232332911a4e13e22557d3ebd80ed5_icedid.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	2024-04-23_6b232332911a4e13e22557d3ebd80ed5_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	2024-04-23_6b232332911a4e13e22557d3ebd80ed5_icedid.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4088	2024-04-23_6b232332911a4e13e22557d3ebd80ed5_icedid.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 2308	4088	2024-04-23_6b232332911a4e13e22557d3ebd80ed5_icedid.exe	85
PID 4088 wrote to memory of 2308	4088	2024-04-23_6b232332911a4e13e22557d3ebd80ed5_icedid.exe	85
PID 4088 wrote to memory of 2308	4088	2024-04-23_6b232332911a4e13e22557d3ebd80ed5_icedid.exe	85
PID 4088 wrote to memory of 760	4088	2024-04-23_6b232332911a4e13e22557d3ebd80ed5_icedid.exe	104
PID 4088 wrote to memory of 760	4088	2024-04-23_6b232332911a4e13e22557d3ebd80ed5_icedid.exe	104
PID 4088 wrote to memory of 760	4088	2024-04-23_6b232332911a4e13e22557d3ebd80ed5_icedid.exe	104
PID 760 wrote to memory of 4228	760	Reader_sl.exe	105
PID 760 wrote to memory of 4228	760	Reader_sl.exe	105
PID 760 wrote to memory of 4228	760	Reader_sl.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-04-23_6b232332911a4e13e22557d3ebd80ed5_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-23_6b232332911a4e13e22557d3ebd80ed5_icedid.exe"
1⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Users\Admin\AppData\Local\Temp\3856.tmp
  C:\Users\Admin\AppData\Local\Temp\3856.tmp
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:2308
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Users\Admin\AppData\Local\Temp\B120.tmp
    C:\Users\Admin\AppData\Local\Temp\B120.tmp
    3⤵
    - Executes dropped EXE
    PID:4228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

Filesize
9.9MB

MD5
5cfa5fb159d8f6e70436f630c0934402

SHA1
efff8c376f6f2f7092a48fa2f009341fa829c581

SHA256
c79c174a5937a47940ebd8f05330e9baa8df58f01f662891706b93a2561480a1

SHA512
29e72596b57c7cd6d02b5067321cb0c4772eac3c12fc2c73c30fb0b74dbbe3db227219ee9834b822835c4bf79c70ce95c9d92ec85b867dd7f3f78c5b0c70218a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libcef.dll

Filesize
81.0MB

MD5
02ba4f16fbe923b9db761b525216a01d

SHA1
56db9540535fc54b26d921a168f6981f8aaa7ae8

SHA256
b35935be05c1d02fc5eacefc82e0ba9428ed6c06a1e781d375597ab7809fd30f

SHA512
e3471722750da0dc9be832fc1ada06c5657a81b37b6732215f8f403bbb906fe0ef8e91003039f6817a6ea2ab8b1f16a184448cdcdb33e1434a6744f467bf3d59

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Filesize
3.0MB

MD5
b61cd175e88c8df7760ecc1f6fe36938

SHA1
414de3819ce3c6107c3d94d6597f4632a96905c3

SHA256
66e56c8b6f4a54cba5599c733acd08ffa50be359ff84d9b1362552545956b852

SHA512
a3fb9c259efc45758f8a7d8c26e7e5f3f3caa4f2c6d0d446d575faf9e9e94057d5d608a51586908cf142b2cfb9266175d46f62bc2c2e589c1cafec6c4d3b59d1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogSession.dll

Filesize
657KB

MD5
3e69e054b47b7cc1791d0611eb4ebd02

SHA1
b8a483f7cadb2123f8507f03d4fc8ea0abc2026f

SHA256
a13f17b01f3d562e46d0d568d8972450628b00610767e2846006b8c477904361

SHA512
a1f1e85aa2cc7bf792b5f5528c5b763b0950920cbfc698d1268122e9415d290363f653be61ba44dbe42ece4d54bc75a96df258356cc53f111b3506779f9dbabb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe

Filesize
269KB

MD5
c9b5a25553fb4013fb79552c2d544cb9

SHA1
ab30df944f3ce32979ea51d04c93636db5f673c0

SHA256
d51d46fdc0bbc40eb5306cb7deb6fbe0d7d162ec7b7dc8a76359db862929f538

SHA512
a0603dd872fdef8735625084dafc728ed4bb02d05685871724f9484ef4c0d47e408da03ec2c0811d6cbb8507ac997d9350e0633f04951373ddb07d605fa9d144

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ace.dll

Filesize
1.3MB

MD5
1c3ee6dff0433c6728dfd54a76b6f130

SHA1
8d09700b1f59c1ab6c2b77355b74b4381b848def

SHA256
f7478d88426dd067543a0f6c1d66764f8cc4558a65c2a1f5aef2c8079eee4197

SHA512
12aca1fdce4969c13ae2f0679ac143e029419297d269e076d80ad7324ad271f0c42f4d34564831b33a67ecc2a3ef206c17ded94b92a777515f8c70ba3ccbf6f5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrord32.dll

Filesize
30.0MB

MD5
fc0e8a6182112548099a1d241b62e6ea

SHA1
4c2cbd8dda76d523337352742d629c1a4555d6a0

SHA256
aec1ef1cc786d36d1a66b9013f6bd514d85f6d5be613b958721a62c27dabce7d

SHA512
54276f7dfec120e25218b067e9bbc02d7484693b8b6d32109059cc86be61a56bf07608ea53f7de6d1ff2ff28e86a3fa9be3ddbc3fdea18462288c9333fa00695

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\agm.dll

Filesize
5.8MB

MD5
4f8989be76cab14d9019139157119181

SHA1
747aaf53da7d8cfb6bff23f3b16805e5465135c5

SHA256
e32ed3572bdc2f55a80520b49c5c58b24b527928a692c6594c72672d88b01f39

SHA512
68ba9b9501393bb93743b1f451dad63b85b228f0d75b4b6b0816a3f7367c9bb394503113f6bc0ac7cb71a618200041563322b77018776f54bacec6e6f2dfb1e2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\bib.dll

Filesize
343KB

MD5
32e4ad6bcc3b69f7897c4ef1572827b0

SHA1
e830f085a98b99f39a6493e6cad5165f650b6785

SHA256
1194448bfbfd20ddb502afd10e2597fe1ad597eb2bf8953a775734bf7e8a2c36

SHA512
b85cdeea631771225deb6da1f602fb5fcf939e036287bbabadb3d0246706383329b2a057b7868eef028f6cd2b5f560bcfea9f6e360cc667939221342bb654754

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.dll

Filesize
423KB

MD5
8457705bf05a7b6d463f3a9e82fa3d6f

SHA1
c13830a14e1edd6d76de086e170cdefe6cbbbe5e

SHA256
8056b0ebdeab5d2f9373aa43e07a8d9bb8cfba03b91c6dbc04659f01372a931c

SHA512
5b6edf3957b183c3aaa56447b377276cb6ab1dfbdad6ff25afb7f9b79f8a7a736788ca03a865916352c4d7a8b28c808165fb55860bd99dcdc9d224f889ec98f7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\accessibility.api

Filesize
816KB

MD5
5923adc54c921fe02c4ad520d5a9d03a

SHA1
8e0ea84466659cfa6606646b6d51b35417725a57

SHA256
9c1f66748ab3a0b047787babe8872c610439871a0fd645160ae5235015ac2765

SHA512
df2b477ba34848cd10915e7a60c54999843f0753dca6f6a290e4746a93ec8b4206ef22d0a87cb2be533658d764b2977c7ade6171391b283ec809b21945eeda90

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\acroform.api

Filesize
15.2MB

MD5
6b84721ee60b9354787e95ad1fa242e1

SHA1
0646aa7ed9042783c21ddc5e8bf0d1ce3ba42a9c

SHA256
1f642c5da57e3976dd67f2e58122a250334e27c9373c26d82ba5e29219d1976e

SHA512
9e3404588664e43851911bb6463c613c4838d8d22621e7fcde6784f26acede2f763e48220880b6341beb1d8c23952617680211a624457623f9fb96c505f7a090

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\annots.api

Filesize
8.3MB

MD5
b4f7ca32faede96d94c5c780dd0e447d

SHA1
92004384b2806970b9ab07dc1332bc5bf0c9a7e4

SHA256
0fcf9982f51105557a75cb4dcb7c058a1894b35d39878b7a99b42f9c449967d7

SHA512
9b171dc51c1c9fcc0d59ea82dde27415dc42b6301515691ef0397b6fd4350e0d74a5459baa9205fdd8f057b61e422a3e23524872a1e24ede937f0fdd2bf58d19

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\escript.api

Filesize
3.3MB

MD5
3779bea3cd428e2b724c4b7a29c6d001

SHA1
ed5af1ac8ce85ddefdba5c8d0a4272910ad44875

SHA256
7b859202d9dc9f3ce679047427cd82607e31fcc59b1a177c4a9ee870d9a737d4

SHA512
e9461727e82b8cfac89232670bef1f8d74f07c1f5c553b2baecc467366fd5e5e384fa10135912bd5e86b753ed9e1cfb997c88a3530b2dee71a68e8e8d253b3e1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\makeaccessible.api

Filesize
7.7MB

MD5
10ed7dc4942587ea897d77f604f656e1

SHA1
cbf31d51af28cbde482d247281401a7f049afd49

SHA256
ba5f2f0ebc4128a7efe3a1558ac5af5af2c31c6440d5023020b85ae27dc57438

SHA512
75b3b1e1d60a7123b2a54eb822f7d975f5f445e021663cb6a263623536e5dfb82e59054eddfda8569548e05fa53d01487b20a88a46b45d9eee93f3552d4375e4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\multimedia.api

Filesize
1.9MB

MD5
1e9950e38f39ec967da724ab1bcd38e1

SHA1
fbc4cdabe193b4f7b45523a27ba0d141dcdc51f0

SHA256
ceb54db6d24aba5f697867824de7df59ae4ff90434e8803e665b9f41bc18805d

SHA512
a08df2852df42b3ef1e9e800a85b10022a495ed116a6117b6c238dc70ae76eed307d87724dca7b1c480b715194e95e668b52d67475c10cdc18ce0804e1647a7d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe

Filesize
329KB

MD5
0f4ed8b9c41c4204fd99588b5d6edde3

SHA1
3ae8447607a67ae35b63bc44210a46bf88ba76f3

SHA256
264014d460b1aa01b56ae422e0339f620aedbe292deee5bb1c1039e2a862299f

SHA512
de8a3eb3a91c2f8d532c7b75cac09a23024454307d1660b661c62683c2084069240dbd6c818b08b3709b28fdeffab3ace635689d2ab47bf1bb90fe4b43f17ea1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\ppklite.api

Filesize
8.3MB

MD5
a024a30bc3b8c31d63c3d6cf115dbc3f

SHA1
a40fac04dd3c2a21c91807fe45b89be7d80fe355

SHA256
909d968f2b0ba296530eca4138ec4a1719df436fbee8b511224c53abade7e1e9

SHA512
95fe072b5a9549a6f60b3e3b0f3263de9a192d7531c39beb88e62099cb577c9a70b0571ddb31f06d18555c4fd6e4d68527c4bcaf31b656b19d792bf45541ec62

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\readoutloud.api

Filesize
323KB

MD5
1a884c16b0950cc5280368e613482f76

SHA1
4aaebe03f25ff292edaf41dc9b1d6e293da370b3

SHA256
e27ca3895dbc35443b66ab1af3234bf941dde55b87af61a9ef158601021857da

SHA512
590403174fb18b7a3d11ed00c4eaef777cd656721396faf078c009b8db02c9b36ff160b459954dbedb505ea726fc13fdf96adf33e8bf0c3248d0a3b7b1501ede

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\saveasrtf.api

Filesize
739KB

MD5
beb0daa440e08fa9f75f8a3fae9fe7b7

SHA1
dc4083bc5a91609739f3021a62fe03843e3f66e2

SHA256
1013e45e2d8d8274089d0f1ab21adf74211ad486bcc8403c1497156f2632ae69

SHA512
1274e2a2dfcfdb8f835ae37a354b45cffbad23d09ffc36eda5fe8f9276a8a60fe714c0fe0b4b78568b7ff29491958dfb2230712a1066e8e2e805163b9dcd6b7e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\search.api

Filesize
721KB

MD5
2804c36cb982df6284695cb4cbfb5808

SHA1
4d435a7b87b6856dd08e09e0fb7c2ec0b86c8919

SHA256
e341b5eb3a98b7c006d8a78fe936ab6f08eed063517b90607e370544aaf26152

SHA512
05fe67f234c52ca2bba6dc800f330f702afec0a82596c39e6ff7cd8bf9671a492391d7c4f0b009e30abba9b5b3455631892f3de890a7a0eec9673c93596ac1a4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\sendmail.api

Filesize
2.4MB

MD5
50c183c46b2b6dedecd24e6dab5cd7cc

SHA1
fbc1e1f85e3625c60d49a8f02b4147ac0f827fe8

SHA256
9a87b779f656069c4d43aca2a5eae08d0a1e817bf6e77fcd91ba30ba7fc57f55

SHA512
41f380b0e0ee1a64395e0f30b68e95b5e1736230a8686658bd3491dfdd6894ae55665b880a8efbbe979fe41a8203c5638c7e83ba99c55e42908ac21c01f350c4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sqlite.dll

Filesize
776KB

MD5
4590ce636a6a60982cae1161ad571de2

SHA1
177ce7f49d3dcbf5189f773410abec0968fbf16f

SHA256
1947fa9ee0897f72ae21985cc347a8c01050377bf7f8e0876b62bd1259e80d0c

SHA512
647f337be0e621ee70c08844c1df6cc384e7d1b4db51a6a4b79b652d9db57df98afc1fba372c8ce1c1cd07d50b201cc33af080609c8e61b8f41b4f61b68ab04d

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

Filesize
717KB

MD5
a407c16e257140dbaf9afd1e69bd0290

SHA1
33517194fc2dca8cebf812269c2199f99d97f87a

SHA256
8ee489eb75092d51bdd98229344a019230b9a8f7805d7bcc4ad0b6d0c37bea5e

SHA512
a655af1b671d71999a2e1267f4b5766e63bf4010c188b6bbfbb4fae85ac51cfbc0e3761cabd010a0b685c09555ff096503ac1cf3fe6dfc6fa1920d0a436d1884

Download Submit
C:\ProgramData\Adobe\ARM\ArmReport.ini

Filesize
746B

MD5
5757246b0746f04f7c6c7685c433d80f

SHA1
910a75876285c35fe0fa03c11f36257aeba8a2b3

SHA256
d33f7174ff6e717d72bfb38cf92e25135823d3d02273bf3f575f95d2afdc12dc

SHA512
8f2f3642154d4f016f7679567cc5879e8d4a794a07b62b9663905406a77aebb111b04032353588719a631d9e5223acf543499ef7f7b36e0e15ec966c638219f4

Download Submit
C:\ProgramData\Adobe\ARM\ArmReport.ini

Filesize
634B

MD5
4600ea83e72c40d5b6d25248895c4d66

SHA1
666d119fa0398adce7093f434fc15437ca6913c5

SHA256
4f9b2f699943dc7a42321fde879d884202e9b3bd8391519cc69bd83d8d485aae

SHA512
08c1e1315bd3be50f47cce09a7b9c36aa38572495cdcbaa1053f6cc14af921437f3972c25d2d5c8df70a5b2e239a62d4cec6b3039de5b99e43b173eab4cb0bc9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D

Filesize
471B

MD5
899da4c462b989e8113e3b1160bc5f6a

SHA1
7370d93638a7822309f858dc5c1a5d1145991099

SHA256
ea15ddbfa5575b8994877b933ccc762f21371d539cd007f92aab33f4027946e8

SHA512
da4cf5fc8be05b3597576c18e4d2d79ccf9a01410e5310b3ee85fbbecee31031ff9c2a0638d266acb1d24f2f7435404fb9d22c2d2af899ae29e8ced33e9c7cea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_FBEAFB4EE7383EC8E0A3A2C1EC7FCEAC

Filesize
471B

MD5
b5a1fdbf49eed076e5c67679aab9361b

SHA1
53afca680358d39e9309f3e92042c6bc6747f990

SHA256
c6daeface3b414dfa0a41890ff1c1cbb0799b81026e04709a209486c66fa5d79

SHA512
426d01279f8698023b14cb024367aaa83541c985020c89e5ee3faad96622e02309eb5dbd03db73bd7bfd88b44562fc48454726482b71bb1de907ae4f5f275413

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D

Filesize
396B

MD5
e3023c8d94bad481142a2ac49f7117bc

SHA1
ec1a18ff099b9e985ce998a0a09edfdf1b975633

SHA256
ad2c85865e735c8130fb5568c4b2221a02d712161a4192d9d94b0b3534ac360a

SHA512
ba314c5db0518ae96059384c0cd2a9cc3579bad5bbe5b215131361b5cbe9dca074870427ddb768db9d06365bcbf17dec1d207147af1c97835e367ed9aa4f35c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_FBEAFB4EE7383EC8E0A3A2C1EC7FCEAC

Filesize
408B

MD5
0d12c030205159914662313cba4318a0

SHA1
d1f01b516001cbc50a5aa12193a76fdeff3422f7

SHA256
18c4b46a269e87c9784f8275fe1518c5f08dd737cb651a6689d8cf111e5c4dfd

SHA512
9b8f5863bc060fa1ba3c4a5d6875ec73225e8dcd752eee1549d3490f1dce15f9e46292318cc77c029d9fd87493105a2e4a9d5d6daa35fc4965f6e661deda2ffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\3856.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
C:\Users\Admin\AppData\Local\Temp\ArmUI.ini

Filesize
251KB

MD5
864c22fb9a1c0670edf01c6ed3e4fbe4

SHA1
bf636f8baed998a1eb4531af9e833e6d3d8df129

SHA256
b4d4dcd9594d372d7c0c975d80ef5802c88502895ed4b8a26ca62e225f2f18b0

SHA512
ff23616ee67d51daa2640ae638f59a8d331930a29b98c2d1bd3b236d2f651f243f9bae38d58515714886cfbb13b9be721d490aad4f2d10cbba74d7701ab34e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp6B0F.tmp

Filesize
3KB

MD5
bbb796dd2b53f7fb7ce855bb39535e2f

SHA1
dfb022a179775c82893fe8c4f59df8f6d19bd2fd

SHA256
ff9b4cf04e3202f150f19c1711767361343935da7841c98b876c42fd2cabce9b

SHA512
0d122f454fcbf4524c2756692f0f33dc98f5bd2426839c6f03cd5c5f4fd507a8a15cf489d7a7ceadd1b95cf31b506c04bf03d613a9ba7d76add92766b1dc5c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpB029.tmp

Filesize
3KB

MD5
ec946860cff4f4a6d325a8de7d6254d2

SHA1
7c909f646d9b2d23c58f73ec2bb603cd59dc11fd

SHA256
19fe53c801ad7edc635f61e9e28d07da31780c2480e6f37ecfc63fffe1b250fe

SHA512
38a98b18dbae063bc533a1ff25a3467a7de197651e07e77a1b22cf8ce251282ab31f61dcff5c51ef186cfd115dc506181d480eabffbe92af01dee6282cbee13e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpCD76.tmp

Filesize
3KB

MD5
a58599260c64cb41ed7d156db8ac13ef

SHA1
fb9396eb1270e9331456a646ebf1419fc283dc06

SHA256
aabf92089e16fdb28706356dbc4efb5a81f5277946f2e67695b31676616ed2d2

SHA512
6970cbc42e7ec64ccdb8e5633b7017b1e9ec0d4ad094869e221e9275b814b1442b84827996190159543bdb5e86df6885c45197c533d657db4660fca8ad761a71

Download Submit
C:\Users\All Users\Adobe\ARM\S\13934\AdobeARM.msi

Filesize
869KB

MD5
daef9610629678de57c4567339f6e52c

SHA1
3c2f60cce0d017c9f93fe0d09c80a7ca0dc63d0f

SHA256
9aebffc9bb8192c5ba7e51bf7b47246d53837fab2b435d71ccaeaee1cd74c701

SHA512
9a550ec8cb373b6ab488750aa9c679e419b8dfeddf3ccb02593c044553b5bb447516ceebc18e73db2b8c848b79f124ed6764484795b8f4a6d58d954b77f0b4a5

Download Submit
C:\Windows\SysWOW64\msvcr100.dll

Filesize
1.1MB

MD5
c04a4b5b3e2607d4b44ce0b2dea5b9f0

SHA1
ca400f14abc82fca158f461afa23399264047317

SHA256
7f9aaa15c8d81c45650ebaaaf8973d81156cd72f6487cc9d8960585f912c42f1

SHA512
3a057f5dfdbe035bccccd20720786558638f18bea049614e2f0d76bad2bbfee25b93b0ebbad8f6b0ccae8716a2111a82e9e86b82d7eab9c0fbcb174ee01218c9

Download Submit
C:\Windows\SysWOW64\msvcr110.dll

Filesize
1.2MB

MD5
332970fdf266fafd9c3ca4a857ee32cf

SHA1
eb1e9c24f6ecc0ca69df6ef4c9646f7c416b9707

SHA256
c4acc53345623b4a2b0f2e7f18db7b690831028c28dbbbe12602b5d450dd9d1f

SHA512
29667029071b6188e43322ca177c3a8bde8af4c9ffd8f9f2a37a36b360d5d5a724d4393b4e7f4b4160310abcc3d961ba9f3c7fef9a63337e7d89b8e4d01fa227

Download Submit
C:\Windows\SysWOW64\msvcr120.dll

Filesize
1.3MB

MD5
790aca90fc615193cd684f0f6e386c64

SHA1
c452b017b9e3a8cf63ed0aa33e8d2d4f850ba6b6

SHA256
13e3a369bb48769abfb98b05b653b2d07123b908b907211ffb4763239e569147

SHA512
9cde2357b3ca8ca808ffc3df7742fba1e12dc77346382fdd17d0f535b355bd8fdda552b9ae50c4b735f802f6570b63774f79e2e18f246e71cd370764bbf6324a

Download Submit
memory/760-376-0x0000000002090000-0x00000000020C9000-memory.dmp

Filesize
228KB

Download
memory/760-377-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/760-383-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/760-508-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4088-1-0x0000000002300000-0x0000000002347000-memory.dmp

Filesize
284KB

Download
memory/4088-0-0x0000000002300000-0x0000000002347000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads