dca99fe49af49ca6bd009566176fcc2709ac8971aba08a72b6e9bcab86c2136a

Analysis

max time kernel
125s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-26_65101ca439af15d788f6bd289fa1d09d_icedid.exe
Size

720KB
MD5

65101ca439af15d788f6bd289fa1d09d
SHA1

fde71a4562f7d9187343b59e7a656ab9ad03e12d
SHA256

dca99fe49af49ca6bd009566176fcc2709ac8971aba08a72b6e9bcab86c2136a
SHA512

3fae3d603547c7a6a0e017f6be82e79067d3e48aa0ea9ef82763d068118c346ca43f1c838a7b543662349a8325994ab2bb4b30b571f810989c6107f088649d1c
SSDEEP

12288:h8l/J6su8OX31+NvcUUfGENKx26oCmFeGXhrUugDbWQBhKOnYGDh5nMN:h8lznrUfG52EmF91yWshKTwvny

Score

9^/10

spyware stealer

Malware Config

Signatures

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs

resource	yara_rule
behavioral2/files/0x000400000002035c-419.dat	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

Detects executables containing possible sandbox analysis VM usernames 1 IoCs

resource	yara_rule
behavioral2/files/0x000400000002035c-419.dat	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	2024-04-26_65101ca439af15d788f6bd289fa1d09d_icedid.exe

Executes dropped EXE 3 IoCs

pid	Process
4684	2A4C.tmp
3120	Reader_sl.exe
3596	BE8D.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 58 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\hh.exe	2A4C.tmp
File created	C:\Windows\SysWOW64\mswstr10.dll	2A4C.tmp
File opened for modification	C:\Windows\SysWOW64\opencl.dll	2A4C.tmp
File opened for modification	C:\Windows\SysWOW64\vcomp140.dll	2A4C.tmp
File created	C:\Windows\SysWOW64\d3d8.dll	2A4C.tmp
File created	C:\Windows\SysWOW64\msjtes40.dll	2A4C.tmp
File created	C:\Windows\SysWOW64\d3dxof.dll	2A4C.tmp
File created	C:\Windows\SysWOW64\olecli32.dll	2A4C.tmp
File opened for modification	C:\Windows\SysWOW64\atl110.dll	2A4C.tmp
File created	C:\Windows\SysWOW64\FXSXP32.dll	2A4C.tmp
File opened for modification	C:\Windows\SysWOW64\mfc140.dll	2A4C.tmp
File created	C:\Windows\SysWOW64\odbcjt32.dll	2A4C.tmp
File created	C:\Windows\SysWOW64\acwow64.dll	2A4C.tmp
File opened for modification	C:\Windows\SysWOW64\mfc110u.dll	2A4C.tmp
File created	C:\Windows\SysWOW64\msvcrt20.dll	2A4C.tmp
File created	C:\Windows\SysWOW64\InstallShield\_isdel.exe	2A4C.tmp
File created	C:\Windows\SysWOW64\ir41_32original.dll	2A4C.tmp
File created	C:\Windows\SysWOW64\ivfsrc.ax	2A4C.tmp
File created	C:\Windows\SysWOW64\mspbde40.dll	2A4C.tmp
File created	C:\Windows\SysWOW64\d3dim.dll	2A4C.tmp
File created	C:\Windows\SysWOW64\msxbde40.dll	2A4C.tmp
File opened for modification	C:\Windows\SysWOW64\vccorlib120.dll	2A4C.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_360f6f3a7c4b3433\I386\PrintConfig.dll	2A4C.tmp
File opened for modification	C:\Windows\SysWOW64\atl100.dll	2A4C.tmp
File created	C:\Windows\SysWOW64\msrd3x40.dll	2A4C.tmp
File created	C:\Windows\SysWOW64\sqlwoa.dll	2A4C.tmp
File created	C:\Windows\SysWOW64\AppVEntSubsystems32.dll	2A4C.tmp
File opened for modification	C:\Windows\SysWOW64\concrt140.dll	2A4C.tmp
File opened for modification	C:\Windows\SysWOW64\mfc100u.dll	2A4C.tmp
File opened for modification	C:\Windows\SysWOW64\mfc120.dll	2A4C.tmp
File opened for modification	C:\Windows\SysWOW64\mfc120u.dll	2A4C.tmp
File created	C:\Windows\SysWOW64\mfc40.dll	2A4C.tmp
File opened for modification	C:\Windows\SysWOW64\msvcr110.dll	2A4C.tmp
File created	C:\Windows\SysWOW64\sqlunirl.dll	2A4C.tmp
File created	C:\Windows\SysWOW64\ir32_32original.dll	2A4C.tmp
File opened for modification	C:\Windows\SysWOW64\mfc110.dll	2A4C.tmp
File created	C:\Windows\SysWOW64\olesvr32.dll	2A4C.tmp
File created	C:\Windows\SysWOW64\msvbvm60.dll	2A4C.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_x86_c62e9f8067f98247\I386\PS5UI.DLL	2A4C.tmp
File opened for modification	C:\Windows\SysWOW64\mfc100.dll	2A4C.tmp
File created	C:\Windows\SysWOW64\msorcl32.dll	2A4C.tmp
File created	C:\Windows\SysWOW64\crtdll.dll	2A4C.tmp
File opened for modification	C:\Windows\SysWOW64\msvcr100.dll	2A4C.tmp
File created	C:\Windows\SysWOW64\InstallShield\setup.exe	2A4C.tmp
File created	C:\Windows\SysWOW64\expsrv.dll	2A4C.tmp
File created	C:\Windows\SysWOW64\iac25_32.ax	2A4C.tmp
File created	C:\Windows\SysWOW64\msexch40.dll	2A4C.tmp
File created	C:\Windows\SysWOW64\msrepl40.dll	2A4C.tmp
File opened for modification	C:\Windows\SysWOW64\msvcr120.dll	2A4C.tmp
File opened for modification	C:\Windows\SysWOW64\PrintConfig.dll	2A4C.tmp
File created	C:\Windows\SysWOW64\rdvgogl32.dll	2A4C.tmp
File created	C:\Windows\SysWOW64\ir50_32original.dll	2A4C.tmp
File created	C:\Windows\SysWOW64\mfc40u.dll	2A4C.tmp
File created	C:\Windows\SysWOW64\OneDriveSetup.exe	2A4C.tmp
File created	C:\Windows\SysWOW64\gnsdk_fp.dll	2A4C.tmp
File opened for modification	C:\Windows\SysWOW64\mfc140u.dll	2A4C.tmp
File created	C:\Windows\SysWOW64\msjet40.dll	2A4C.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_x86_c62e9f8067f98247\I386\PSCRIPT5.DLL	2A4C.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2A4C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\ReadOutLoud.api	2A4C.tmp
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2A4C.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\EmbeddedBrowserWebView.dll	2A4C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Temp	AdobeARM.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\msvcr120.dll	2A4C.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONLNTCOMLIB.DLL	2A4C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2A4C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PPKLite.api	2A4C.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONBttnIE.dll	2A4C.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OWSCLT.DLL	2A4C.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE	2A4C.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NAME.DLL	2A4C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\logsession.dll	2A4C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2A4C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SendMail.api	2A4C.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSO.DLL	2A4C.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\adal.dll	2A4C.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\concrt140.dll	2A4C.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\PPSLAX.DLL	2A4C.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe	2A4C.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\SystemX86\mfc140.dll	2A4C.tmp
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2A4C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libGLESv2.dll	2A4C.tmp
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll	2A4C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2A4C.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MeetingJoinAxOC.dll	2A4C.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\MSVCR110.DLL	2A4C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.dll	2A4C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2A4C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SaveAsRTF.api	2A4C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ACE.dll	2A4C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2A4C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2A4C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll	2A4C.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\concrt140.dll	2A4C.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\PortalConnectCore.dll	2A4C.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msmgdsrv.dll	2A4C.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll	2A4C.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso98win32client.dll	2A4C.tmp
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDFImpl.dll	2A4C.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\xmsrv.dll	2A4C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\d3dcompiler_47.dll	2A4C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2A4C.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\msedgeupdate.dll	2A4C.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\JitV.dll	2A4C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvDX9.x3d	2A4C.tmp
File opened for modification	C:\Program Files\7-Zip\7z.sfx	2A4C.tmp
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll	2A4C.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso30win32client.dll	2A4C.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso50win32client.dll	2A4C.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msolap.dll	2A4C.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONBttnIELinkedNotes.dll	2A4C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2A4C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\MakeAccessible.api	2A4C.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso20win32client.dll	2A4C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIB.dll	2A4C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ScCore.dll	2A4C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll	2A4C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm.api	2A4C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp	2A4C.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp	2A4C.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ADAL.DLL	2A4C.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ONNXRuntime-0.5.X.dll	2A4C.tmp

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Search.api	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\WindowsMedia.mpp	2A4C.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\APIFile_8.ico	2A4C.tmp
File created	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-advapi32_31bf3856ad364e35_10.0.19041.1052_none_6277ca3070041917_advapi32.dll_9512793c	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrobroker.exe	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\libcef.dll.15EE1C08_ED51_465D_B6F3_FB152B1CC435	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adobearm.exe.BDCA7721_F290_4124_BBED_7A15FE7694EB	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeCollabSync.exe	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\nppdf32.dll	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroPDF.dll	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.dll	2A4C.tmp
File created	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-atl_31bf3856ad364e35_10.0.19041.746_none_936e34e4ece273a7_atl.dll_0c7220db	2A4C.tmp
File created	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_10.0.19041.1202_none_2b327e97dbe87a1a_ole32.dll_e9dcc2e3	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\QuickTime.mpp	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\rt3d.dll	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\nppdf32.dll_Apollo	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroPDFImpl.dll	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.exe	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\F_CENTRAL_msvcr120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA	2A4C.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\PDXFile_8.ico	2A4C.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SecStoreFile.ico	2A4C.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\XFDFFile_8.ico	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\drvDX9.x3d	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Flash.mpp	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\SendMail.api	2A4C.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\FDFFile_8.ico	2A4C.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\XDPFile_8.ico	2A4C.tmp
File created	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasautodial_31bf3856ad364e35_10.0.19041.546_none_f827f008f8832bd5_rasautou.exe_477abe34	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adoberfp.dll	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ReadOutLoud.api	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrocef.exe.15EE1C08_ED51_465D_B6F3_FB152B1CC435	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\sqlite.dll	2A4C.tmp
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data.OracleClient\v4.0_4.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\00006109E70000000100000000F01FEC\16.0.12527\concrt140.dll_x86	2A4C.tmp
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll	2A4C.tmp
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\napcrypt\v4.0_10.0.0.0__31bf3856ad364e35\NAPCRYPT.DLL	2A4C.tmp
File created	C:\Windows\WinSxS\Backup\x86_microsoft.windows.isolationautomation_6595b64144ccf1df_1.0.19041.746_none_c33b9b0d5e48a5d2_sxsoa.dll_cb87188c	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrotextextractor.exe	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\PPKLite.api	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_msvcr100_x86	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Ace.dll_NON_OPT	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroForm.api__NON_OPT	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Multimedia.api_NON_OPT	2A4C.tmp
File created	C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\wpfgfx_v0300.dll	2A4C.tmp
File created	C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\EScript.api	2A4C.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\PDFFile_8.ico	2A4C.tmp
File created	C:\Windows\WinSxS\Backup\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_c0da534e38c01f4d_comctl32.dll_9c499789	2A4C.tmp
File created	C:\Windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Annots.api	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\drvSOFT.x3d	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\SaveAsRTF.api_NON_OPT	2A4C.tmp
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Activities.Compiler.dll	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100_x86	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AGM.dll	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.exe	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100u_x86	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logsession.dll	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Bib.dll_NON_OPT	2A4C.tmp
File created	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_6115038ba57fcb33_kerbclientshared.dll_1fa7b356	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_atl100_x86	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adobearmhelper.exe.BDCA7721_F290_4124_BBED_7A15FE7694EB	2A4C.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\MCIMPP.mpp	2A4C.tmp
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SC_Reader.ico	2A4C.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1204	2024-04-26_65101ca439af15d788f6bd289fa1d09d_icedid.exe
1204	2024-04-26_65101ca439af15d788f6bd289fa1d09d_icedid.exe
1204	2024-04-26_65101ca439af15d788f6bd289fa1d09d_icedid.exe
1204	2024-04-26_65101ca439af15d788f6bd289fa1d09d_icedid.exe
1204	2024-04-26_65101ca439af15d788f6bd289fa1d09d_icedid.exe
1204	2024-04-26_65101ca439af15d788f6bd289fa1d09d_icedid.exe
1204	2024-04-26_65101ca439af15d788f6bd289fa1d09d_icedid.exe
1204	2024-04-26_65101ca439af15d788f6bd289fa1d09d_icedid.exe
1204	2024-04-26_65101ca439af15d788f6bd289fa1d09d_icedid.exe
1204	2024-04-26_65101ca439af15d788f6bd289fa1d09d_icedid.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2188	AdobeARM.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 4684	1204	2024-04-26_65101ca439af15d788f6bd289fa1d09d_icedid.exe	88
PID 1204 wrote to memory of 4684	1204	2024-04-26_65101ca439af15d788f6bd289fa1d09d_icedid.exe	88
PID 1204 wrote to memory of 4684	1204	2024-04-26_65101ca439af15d788f6bd289fa1d09d_icedid.exe	88
PID 1204 wrote to memory of 2188	1204	2024-04-26_65101ca439af15d788f6bd289fa1d09d_icedid.exe	89
PID 1204 wrote to memory of 2188	1204	2024-04-26_65101ca439af15d788f6bd289fa1d09d_icedid.exe	89
PID 1204 wrote to memory of 2188	1204	2024-04-26_65101ca439af15d788f6bd289fa1d09d_icedid.exe	89
PID 2188 wrote to memory of 3120	2188	AdobeARM.exe	106
PID 2188 wrote to memory of 3120	2188	AdobeARM.exe	106
PID 2188 wrote to memory of 3120	2188	AdobeARM.exe	106
PID 3120 wrote to memory of 3596	3120	Reader_sl.exe	107
PID 3120 wrote to memory of 3596	3120	Reader_sl.exe	107
PID 3120 wrote to memory of 3596	3120	Reader_sl.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-04-26_65101ca439af15d788f6bd289fa1d09d_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-26_65101ca439af15d788f6bd289fa1d09d_icedid.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\2A4C.tmp
  C:\Users\Admin\AppData\Local\Temp\2A4C.tmp
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:4684
- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
  "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3120
  - - C:\Users\Admin\AppData\Local\Temp\BE8D.tmp
      C:\Users\Admin\AppData\Local\Temp\BE8D.tmp
      4⤵
      Executes dropped EXE
      PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

Filesize
9.9MB

MD5
1a328c180c2b33915a4718e8a58e7508

SHA1
e2dbfa5814435b1a6b993be766407f21b259174a

SHA256
f6f4c14126cd11e0aae4c464446fe4e812d99b0aa9ecdc06599afd1105787710

SHA512
2f60ffb284786f1473e0fbdc84e8ffb76ac79fc719df8a806fdb41cfe131cac05fb13c025600b3c6163f51ae462ce878bec448649925736fd63d7bb3df39eaca

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libcef.dll

Filesize
81.0MB

MD5
bbc271832bc65ca437378e8dce7953cb

SHA1
25f60bf1861e133efaa4b571710dec32b02369e2

SHA256
580b411955e2190997763fdc7cbddfb9ab27579c5f04c10742c16324b799aa60

SHA512
f59b62db1ef561eb7ea4bfeb505c5f7b5c3cfa5d6ab9cb4c9fe680d35aca56197c2a4e2e82e3a0fc49e770e1821898efa551f39970f966d8f576728d2f26fef1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Filesize
3.0MB

MD5
4e251ff7d3214aac8a7daeda4b61ed87

SHA1
be75c52db134c063ce1a762c2724b31bab48b1c7

SHA256
ffc44847b0a1f08308db6008328ddcbfdf95b5044f47a11d42673e0327eec86f

SHA512
1e4caad8df41550d4a98bb06d4ef90cd54506c9e7f1b68eef0ecdd2792e414dcdc9dcd2e5cfe7296c0418b3dde577b85231b48065f20f832dfb9d3bfc760e066

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogSession.dll

Filesize
647KB

MD5
a154696711626b3f093c6df7d370219e

SHA1
d501390089cd78bf49c130b6856552fd54d99aad

SHA256
d93a5ab711b8a77ffe8a0e1f3dec0e6ce4cb2261d1cf21674d7fc45e321bc322

SHA512
d362b95af07a745fde54a6397646f79e82550380df1c34440d0b80fd01e5478657acd2446e9696201f3736c996a64e3f0633f636b8fd5bcfb5cac61a9ff12881

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe

Filesize
261KB

MD5
3d5ebd3eff556b27ea6b59e4b648cfaa

SHA1
2be11001f48f4163849aa248732b40038f0964ac

SHA256
45a6f061dea2240060b600c2cf60859b5b317d770c081e84eb0c8038134590e3

SHA512
643d7716e0b65cc1f4ea6f5b7922e0af4a6fbc38bd2c2fef5f25bc5c1481f4ac92c033e4a85550ef4f2bccd10c8d0035b4f037f04a68922c089d2c9488cb47a5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ace.dll

Filesize
1.3MB

MD5
cedb0e46d5ac79ffebbe80cd6db9f95f

SHA1
2d2b6a3394789dfa18876d0c657adcf61c36a0ec

SHA256
2ec231f190a5f050db4a35a8e7d5922051f1a1ce2d849162027fb7b80425dd97

SHA512
9fa314f4405767e657811ed3518804b48d531117d85518be4b727174d75dcc2667aeeef87e7c7926302bca241af7d18dd9bdd4fe9bde80c58cd433a4c857ac9d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrord32.dll

Filesize
30.0MB

MD5
d3a3dcafa37fec5faac1eb9d4066c154

SHA1
b713478a94e3b1228541ce69983dd41bd06dd55b

SHA256
86a7cf0aae4ba6c6538ac85b1b3d063efbf05f8e8837d4c7ba6e81178a06c0c8

SHA512
6faa0f587f7f537fa224acc3db383816861f692f79f544e0bad9d36b2e13409495ddff88daa00e76f02505ab48bb134d33cd514b7cd00e3678e4ae9425f2b449

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\agm.dll

Filesize
5.8MB

MD5
a5d37fce7823d14a8e4e470349c51738

SHA1
342364774bd5f88f7c8a42f55ed27082ead88416

SHA256
55816e0b38f41393e317cb46d652ed97a0dc73508bf05f4e76d6ef48bd01fcbb

SHA512
d15307590aafb63d4b63160bd77f6edfb168b5fa94e5b1fa5e4b76c89b21c809aa12828fc1b93e42f17dbc46b4c9b4c082385acf3c534d65eb0e675cc9be61be

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\bib.dll

Filesize
366KB

MD5
55681dc5e4ffb679abbea654f2502ccc

SHA1
49366c3ba6fe0cfa3e713bde43e5da7ffc372ba0

SHA256
3d098dfcfb2c78a89f9aff924f78dac8c017f58da7e0445062e016d21fe91de4

SHA512
8ba17944fe08bb273cbc991a1d90fcc72bb19e762b817a34b08ee2b0b7b6fdae845d62b2d2b329678a431332260acccc58be85b2bf6a77c40686c5c6d8c66487

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.dll

Filesize
448KB

MD5
6a0fd189aa20d618345ce4a27a4c955b

SHA1
148e1f31880ad9dd0292e8717af7dacfaf4aa122

SHA256
6100d1d0cc0c4844d445a41eae5aaace5aff275c4074e3e057e1427059f844d8

SHA512
bb6446baea57673edef7c14da004ad25a39f70755340186c1b76d81016b28592aa45566507fd53d59c36edf4d652224f4671434f127e6e4e31f83167e33cdece

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\accessibility.api

Filesize
794KB

MD5
93e533fbe18355fe6235321a0315d73a

SHA1
23aeb54fde5c55706e3640c1a82bbbe8d9450b2b

SHA256
ef77ff6381962110fe6ba4a8f8bd6cdbc7d794918c88d7114db00f83244175d0

SHA512
2fe5fcdea4de07c35d5c3852269c55e67771cf55d9db52445f112e842ea957837795dc0f9057f72522b3699f7537199370a5d922050b91a53672529ee487c2ab

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\acroform.api

Filesize
15.2MB

MD5
57e39c68407b7c2f40df851a8e41fdc5

SHA1
f0f4e70e7e54da62092fd772bf9a9bac1db46316

SHA256
51142da273984d3ea795741b64340913541a78597cfd629e126d58a880f6a712

SHA512
3988fb5518010bfc2a1fdbcbcb8aea82abe4c51f56ad126a10dfd2102c7ea17e6f737c5134111427d8b6eb8ad3f93efd30ad66bfebe738f3eb09d38dd0811827

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\annots.api

Filesize
8.3MB

MD5
a0304002f96cc3f51a6cd940d113f74b

SHA1
acaf7b52d72bb0999c98eb3a9971db154abe8e2a

SHA256
99ae335f10f59dfb337edb1600dd439f0529b81a5ccaf72a52567683c718ffde

SHA512
9980b4e98207ec7584d702259e3cb28e294462dcfd24dad14b53c6deae8e7b79f4c2afaf646bd823c12022a5302f53025372a3d0901f57e14d6b507ce3d1f1a6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\escript.api

Filesize
3.3MB

MD5
1949662663c3be85793288a7140bf4ad

SHA1
8c3e6bddb4f353ff0d1f7a32cc85b9ae9b665c9e

SHA256
e233eae79d04ded49ce7e4266e0983d592fcae103819e35e2cc326162d805c2e

SHA512
90dd9346d2dfde28786e94e9fcadbae7088b762c98635bc0c7264e6829e21ec2b32b5c618b077c2d0ccf34e896b67bf7ff4f32fb51ce168c4031a12bb03891f8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\makeaccessible.api

Filesize
7.7MB

MD5
98d644b39d8affe5eee411816c450430

SHA1
73c6240abb1375df03d37f0619060498b3a487b4

SHA256
765690816d5f3b944830a4883f5a4c4a6e91163acdfea1354b47dea92ab682ea

SHA512
d6a07db90d175a104585b7762a6440bf9e145b7f101a4b90a057ecc4d06f4d3135c363210223e3120c339606fc5666fa6e548c07a0def6f1695a61216f31f964

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\multimedia.api

Filesize
1.9MB

MD5
c3d0d7ca4efada69a55ee7c36997ed83

SHA1
6fa3a7bd1f82b7d1364073b95e956bb4d3676092

SHA256
27b7274dfbf8c2826f90901f8cbc0d6df9bab1a49425225e477ff86589addbbd

SHA512
7c9a97a495aaad471621ca250d15fc8f4bc4682525d7b3d9249dd047011a670d9d777d655da8f068fbd0f0dd20a589efa718a15c7cef60f3d5fdc397c21d184c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe

Filesize
322KB

MD5
2a48d5c03045aeae9b22d56ca60a2601

SHA1
d658a18721ef896e24713047f5da561ecd2037c7

SHA256
ee3f0edcafcbd5d991d472dd214f1bb526d6997d90785c0e1809eea3969e4dee

SHA512
0ea180ae09cc0d2e21c19ddbbb985408422e0ba19cb723a473c00498008b9aa75d280f9ac412f724ee543fbd5b56cdb54ac4e786ed1727bafd74d16d4d846100

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\ppklite.api

Filesize
8.3MB

MD5
374e8a316c1a4fc1961cfcdf0c6864dd

SHA1
acb1272f39936e7058c1026cd16a82a1e92acd5f

SHA256
9fbd6d9ac0856318e9c63b6d4078ff2d44cd22b87276cc541f8ad1e4f23b371e

SHA512
6a0971d642b3ee42d118391ff6f1be9b57b6ffbd2535b4552b69f7e17d691c8c9c3fa30668bd4e9f1d29fcc903d9805a5bc6221c0bbac769eb38db1f14bcb9eb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\readoutloud.api

Filesize
339KB

MD5
2a10c2066b9723a9f5f505d339828878

SHA1
04c908a80adad70f0f9ccd37857526d4f2131d62

SHA256
35bd0194818e60d39dea4aa6f9c9cc43323b3b66bede2263e02aa3cbedf7f63f

SHA512
7c86d8fb79d2be41c79a68834f76364dcd5b1654bb48cfa2890b06a2e0d46963b88b73dc11226cefbcb0aa23766f7bc7d454abb734ce05645576fa0cf4ade87c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\saveasrtf.api

Filesize
723KB

MD5
691b4af1aa575025a1eece8a9e0387c9

SHA1
93e40343733a933ed499b16998f414bd801cfdc2

SHA256
98f30ed45ae0b47cc3834b80a839bcc06a543dad4217f8f716b09b84368654f0

SHA512
59cab27cd04af12ae3cf72cd8abc562d611d7a95d47dbe41985c49dee660f7ea3d444a434701dddca42eda542723c1ca595149869c9fc365624203df22091b72

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\search.api

Filesize
732KB

MD5
1c7d1dbac07298135e2579c40d603c82

SHA1
454a3b05a775dcc9e3b5460bb27f1650b9ec6578

SHA256
c1d324ca87c0bdc4cf5787c4f70ecb9b0138f59ba0ace832b352e6b69e212d53

SHA512
2aa06707d45c045a4c5df3f8a661030b5fe6aa863d09d6dde2b205ebd8c6392a38439ab35bf99840cae5999be12662b58f3672d952890599cbc575674d8e5106

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\sendmail.api

Filesize
2.3MB

MD5
1cad11592c0589de7f70157c33c13a71

SHA1
b6514624c2571764765ecdd4417df055da58b4ef

SHA256
d094944683b929edc1159e9371a7643d8c107e02d333e4283d5a6ecaee776c90

SHA512
b26f416fee46c24f65cc58b9de24ceb319474acbf2b57299c5f5622c975b088cb80d2da6cf03dc845df4ba9c3a344ea6749cf9158b06a6e4fb27805f42f91bcf

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sqlite.dll

Filesize
777KB

MD5
d593bdd93fadb37556e68c91150b0734

SHA1
d039591310efff136ed244d1baee5d5b437f47e7

SHA256
95d9439195918adf752eb0d8b5e042cc12381e8b1a27b9add255e10476090bfd

SHA512
bba49df6c605386f6135ccd8d3096d10f757b893f59850f180006dae069caf0fe69d876ec3fadf1a8cb042fc197c5af1a3116125b241fe9b41207f04c808dced

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

Filesize
709KB

MD5
6a577cd59af1fa83854ee71d1a25466f

SHA1
bf24b355f2f07f813ef33ca13384c0ebfd9f5da2

SHA256
fbe814802f7ddcc70cbcd83849d5e79c7746423af064fec4b3c64c1dcf239f64

SHA512
87c74504cfdbf38ccec982b8845bd7c211db122e626abc64400155dc643efc8aae6c9424e3580ed4ba7df3dd8178c68be491e0ed153bf931f3ee9f39a4fff010

Download Submit
C:\ProgramData\Adobe\ARM\ArmReport.ini

Filesize
746B

MD5
5757246b0746f04f7c6c7685c433d80f

SHA1
910a75876285c35fe0fa03c11f36257aeba8a2b3

SHA256
d33f7174ff6e717d72bfb38cf92e25135823d3d02273bf3f575f95d2afdc12dc

SHA512
8f2f3642154d4f016f7679567cc5879e8d4a794a07b62b9663905406a77aebb111b04032353588719a631d9e5223acf543499ef7f7b36e0e15ec966c638219f4

Download Submit
C:\ProgramData\Adobe\ARM\ArmReport.ini

Filesize
634B

MD5
4600ea83e72c40d5b6d25248895c4d66

SHA1
666d119fa0398adce7093f434fc15437ca6913c5

SHA256
4f9b2f699943dc7a42321fde879d884202e9b3bd8391519cc69bd83d8d485aae

SHA512
08c1e1315bd3be50f47cce09a7b9c36aa38572495cdcbaa1053f6cc14af921437f3972c25d2d5c8df70a5b2e239a62d4cec6b3039de5b99e43b173eab4cb0bc9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D

Filesize
471B

MD5
1cb35171b60ef6ef47129fa905dbbdb2

SHA1
f17d5416c2024348ae2c226d82544a3180b4bd30

SHA256
f7afcbe64764a094e05ca2006f4a1b41b1c3a662b3809f9ec10b817535eadaed

SHA512
4ec3cbb29b27ffaf9a576b0734d597de5d70942e007daffca360aa9ab284cce2d94eed351c795c1310f1072a61cbaa0ce85b42cc9524058370c3753f8add4ffa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_FBEAFB4EE7383EC8E0A3A2C1EC7FCEAC

Filesize
471B

MD5
1c2cbc2867043ff804a73eadbd71c8b0

SHA1
ba95fa301e0b7c38aab2871a6998ba76c46ea6d3

SHA256
bba7de21e50f57fe9535990123728f199dea356b14e1b8a63cb79fbbcb0acf89

SHA512
50b6d244dabdf33bcdca70ece797a7d886fe6ad06843e9969543ca4ac79fdd8b447b675591cf0df126981128c0e4b1d5e7befd20512eacc4ba4adef03f86eba7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D

Filesize
396B

MD5
2fe131a3e9affb3133e9d3d4220de856

SHA1
495a99df5bae12f085b8306f58d2a07fb1ed55e5

SHA256
88b1e6ed04b63958bee9bd3d9d50f6b7a990f4381af43a343c7db872094a6ff8

SHA512
6313141d09d1737e83bc0328e35ae6f634910626bb786b517b5ec3a334eb45fe2f5a94d9ea5b0ccd9f9a532e7dfe7cd0d12a62538ceea9dbf5c1f43cbecb078c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_FBEAFB4EE7383EC8E0A3A2C1EC7FCEAC

Filesize
408B

MD5
67816e3990df88fd86a9b06cadd55ab4

SHA1
ae10437f5b75c23cc6c9359a8eb8055a1153363e

SHA256
5a286cb9bc159cb0baf11fbea89e9d98a468bd8d9e2c776ec6a0c22cc429545e

SHA512
b47cc778b0b34218ef41df44ba0d341183f235cdd44410d7e78289ac8f504a4fe21b747d844b65c64d1d3c6737fbf36efc3d99c53407a117a0553e0670dea14b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2A4C.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeARM.log

Filesize
178B

MD5
33f81f49a80184bf6d7c64f6a47ccc55

SHA1
f1bc70067046a1b2be61d2938d5e600d0ae5a088

SHA256
2afda71f37451a4cb4e4018646e05ea8e19841003f4b929ec871402a98965e00

SHA512
af770a00e22484edf3fd3a515ae71a848a8cef51f66a8aa97620d926c662c5438e26226c1bc0ff3c4729be05ddd47b2ff971b524f7b9742b93db4b7916e218ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\ArmUI.ini

Filesize
251KB

MD5
864c22fb9a1c0670edf01c6ed3e4fbe4

SHA1
bf636f8baed998a1eb4531af9e833e6d3d8df129

SHA256
b4d4dcd9594d372d7c0c975d80ef5802c88502895ed4b8a26ca62e225f2f18b0

SHA512
ff23616ee67d51daa2640ae638f59a8d331930a29b98c2d1bd3b236d2f651f243f9bae38d58515714886cfbb13b9be721d490aad4f2d10cbba74d7701ab34e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp5BCC.tmp

Filesize
3KB

MD5
bbb796dd2b53f7fb7ce855bb39535e2f

SHA1
dfb022a179775c82893fe8c4f59df8f6d19bd2fd

SHA256
ff9b4cf04e3202f150f19c1711767361343935da7841c98b876c42fd2cabce9b

SHA512
0d122f454fcbf4524c2756692f0f33dc98f5bd2426839c6f03cd5c5f4fd507a8a15cf489d7a7ceadd1b95cf31b506c04bf03d613a9ba7d76add92766b1dc5c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpBD57.tmp

Filesize
3KB

MD5
ec946860cff4f4a6d325a8de7d6254d2

SHA1
7c909f646d9b2d23c58f73ec2bb603cd59dc11fd

SHA256
19fe53c801ad7edc635f61e9e28d07da31780c2480e6f37ecfc63fffe1b250fe

SHA512
38a98b18dbae063bc533a1ff25a3467a7de197651e07e77a1b22cf8ce251282ab31f61dcff5c51ef186cfd115dc506181d480eabffbe92af01dee6282cbee13e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpC15F.tmp

Filesize
3KB

MD5
a58599260c64cb41ed7d156db8ac13ef

SHA1
fb9396eb1270e9331456a646ebf1419fc283dc06

SHA256
aabf92089e16fdb28706356dbc4efb5a81f5277946f2e67695b31676616ed2d2

SHA512
6970cbc42e7ec64ccdb8e5633b7017b1e9ec0d4ad094869e221e9275b814b1442b84827996190159543bdb5e86df6885c45197c533d657db4660fca8ad761a71

Download Submit
C:\Windows\SysWOW64\msvcr100.dll

Filesize
1.1MB

MD5
910a435f5bb26f219c2216c142b9d5f3

SHA1
cd5f92e5d678643b1e40952636aaff8a8862b10c

SHA256
5a5cd23c509d1dd823a3139aa5e4fe4a6b0284ef382cf8a6a5f40ef697f4c2fb

SHA512
403a15b83ea5e8e04c1921b2b713b4dd0b36982e1d96aec6718aad65eed884d28b531f015dd4e5f64d5057a0f16db15e03446adad192bc23d8d13b3e8e7fece0

Download Submit
C:\Windows\SysWOW64\msvcr110.dll

Filesize
1.2MB

MD5
b92f53e2c195618d2422cb1c46be49bc

SHA1
6d441e3b6a62d0ff8d55fbf606f5b05dbb1c742c

SHA256
c658de6182a99dbf5e2b7b49659cee6510204682a885a39cd43f6754a1c394ba

SHA512
f67d26c72a1b3711e6eb4141c8bd121ef11fb368c141801150ee7061908e7a781196bc559f944e37e4293589c46fc1dca32fe84276dd9acde407beda20d309b7

Download Submit
C:\Windows\SysWOW64\msvcr120.dll

Filesize
1.3MB

MD5
e5a16b259b2a31dfb1847ab94f314e09

SHA1
a0945f061ad5ed60d4d68d75561e3b0d2ad131e8

SHA256
dcea61db2cbf9df8bcdfef86af25bf420c00f4046386e586146b5715991f3788

SHA512
b6a5223b9e01573b25b13242238c7c6ebc23106b34b619ea9633c406eb817c869a4d21a5da91dc9be3310395179648d1dd389d5f5f9e806e7ce279c0e3693946

Download Submit
memory/1204-1-0x0000000000990000-0x00000000009DF000-memory.dmp

Filesize
316KB

Download
memory/1204-0-0x0000000000990000-0x00000000009DF000-memory.dmp

Filesize
316KB

Download
memory/3120-400-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3120-326-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3120-322-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3120-321-0x00000000006C0000-0x00000000006F6000-memory.dmp

Filesize
216KB

Download
memory/3120-425-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download