dearcry | c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9

max time kernel
102s
max time network
106s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
25/03/2025, 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Size

1.3MB
MD5

0e55ead3b8fd305d9a54f78c7b56741a
SHA1

f7b084e581a8dcea450c2652f8058d93797413c3
SHA256

2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff
SHA512

5c3d58d1001dce6f2d23f33861e9c7fef766b7fe0a86972e9f1eeb70bfad970b02561da6b6d193cf24bc3c1aaf2a42a950fa6e5dff36386653b8aa725c9abaaa
SSDEEP

24576:LU5NX2yJOiUXmEICxu2WAP0NIzkQM+KpPRQ9StIUDpl1fpxkHVZgMCS+:L7XP7P9o5QzUtl1fpxkHVZgMC3

Score

10^/10

dearcry discovery persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\readme.txt

Family

dearcry

Ransom Note

Your file has been encrypted! If you want to decrypt, please contact us. [email protected] or [email protected] And please send me the following hash! 638428e5021d4ae247b21acf9c0bf6f6

Emails

[email protected]

Signatures

DearCry
DearCry is a ransomware first seen after the 2021 Microsoft Exchange hacks.
ransomware dearcry
Dearcry family
dearcry
Renames multiple (7591) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 57 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-976934595-4290022905-4081117292-1000\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Public\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-976934595-4290022905-4081117292-1000\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\desktop.ini	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	DearCry_13_03_2021_1292KB.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Dark.scale-100.png	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\1.3.195.43\msedgeupdateres_en.dll.CRYPT	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationUI.resources.dll.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2020.503.58.0_x64__8wekyb3d8bbwe\Assets\contrast-black\CameraAppList.targetsize-36.png	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\GenericMailBadge.scale-150.png	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-sl\ui-strings.js	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Utilities.v3.5.resources.dll	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Requests.dll	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_dirac_plugin.dll	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_x64__8wekyb3d8bbwe\Microsoft.Apps.Stubs.dll	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\bg6_thumb.png	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\libGLESv2.dll	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.UI.dll.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-16_altform-lightunplated_contrast-black.png	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\ui-strings.js.CRYPT	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\reduced_mode.png.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\ComboBox\ComboBox.styles.js	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\check_2x.png.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\deploy.dll	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\liblibbluray_plugin.dll.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Input.Manipulations.resources.dll	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\npt.dll	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-100.png.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_contrast-black.png	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxAccountsStoreLogo.scale-100.png	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailMediumTile.scale-125.png	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-100_contrast-black.png	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\DocumentCard\DocumentCardTitle.js	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PaintAppList.targetsize-16_altform-unplated.png	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-white\PowerAutomateSquare150x150Logo.scale-125.png	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationProvider.resources.dll	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javac.exe.CRYPT	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-timezone-l1-1-0.dll.CRYPT	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EXCEL.VisualElementsManifest.xml.CRYPT	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBCTRAC.DLL.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Net.Resources.dll	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\PeopleMedTile.scale-200.png	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationFramework.resources.dll.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libkaraoke_plugin.dll	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Win10\contrast-black\MicrosoftSolitaireAppList.targetsize-36_altform-unplated_contrast-black.png	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_contrast-black.png	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\Icon.js	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\en\Microsoft.PowerShell.PSReadline.Resources.dll	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\cs-cz\ui-strings.js.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XDocument.dll	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-30_altform-unplated_contrast-white.png	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_133.0.3065.69_neutral__8wekyb3d8bbwe\Logo.png	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\Microsoft.Toolkit.Uwp.Notifications.dll	DearCry_13_03_2021_1292KB.exe
File created	C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.POWERAUTOMATEDESKTOP_1.0.65.0_X64__8WEKYB3D8BBWE\IMAGES\CONTRAST-BLACK\readme.txt	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.scale-100_contrast-white.png	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\[email protected]	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\css\main-selector.css.CRYPT	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Overlapped.dll	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\OFFICE.DLL	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-60_altform-unplated_contrast-white.png	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-32_altform-lightunplated.png	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-200_contrast-black.png	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\Stack.js	DearCry_13_03_2021_1292KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\plugin.js	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\eu-es\ui-strings.js.CRYPT	DearCry_13_03_2021_1292KB.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationProvider.resources.dll.CRYPT	DearCry_13_03_2021_1292KB.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DearCry_13_03_2021_1292KB.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-976934595-4290022905-4081117292-1000\{E1048406-7D72-4674-926F-0436E2BA3831}	explorer.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5048	explorer.exe
Token: SeCreatePagefilePrivilege	5048	explorer.exe
Token: SeShutdownPrivilege	5048	explorer.exe
Token: SeCreatePagefilePrivilege	5048	explorer.exe
Token: SeShutdownPrivilege	5048	explorer.exe
Token: SeCreatePagefilePrivilege	5048	explorer.exe
Token: SeShutdownPrivilege	5048	explorer.exe
Token: SeCreatePagefilePrivilege	5048	explorer.exe
Token: SeShutdownPrivilege	5048	explorer.exe
Token: SeCreatePagefilePrivilege	5048	explorer.exe
Token: SeShutdownPrivilege	5048	explorer.exe
Token: SeCreatePagefilePrivilege	5048	explorer.exe
Token: SeShutdownPrivilege	5048	explorer.exe
Token: SeCreatePagefilePrivilege	5048	explorer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5048	explorer.exe
5048	explorer.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe
5048	explorer.exe

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe bcdedit /set shutdown /r /f /t 2
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4192

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover.png

Filesize
388B

MD5
1dc5d31ef9205f1034b64d635d59cb32

SHA1
c172576576c5ac5a3c2912bdfd0c8365b5365513

SHA256
676d1f912a22a12ad4c80bf552355a7e0995c56e6ef7527aaa9b77e513efc065

SHA512
bc334638acb1416787df04cbaebde99cd15d96c5b96b6f950cbdfb54177fcd2f2ecce4dc9212a9a3f2f85269ac901aef147ec6297c31c5ee6cc39ee4cdac17c1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon_2x.png

Filesize
552B

MD5
7d00bc0d46dcb90890a4fe6b76bc5c3a

SHA1
7159b1e1c264a6863708a971eaeca32cff864aa1

SHA256
2fcd2848cbcab1a3b8154138288cc659cd2c187412cb887eec6554b6165b8c33

SHA512
2f113cb27028aa0fa0f028b09ddcddb4a1ede6ae0823909d99763db6e5be57b1b4ae6977537ec17808cd622bc548e1ba3122e35b58de9d856400d33042234a35

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il\ui-strings.js

Filesize
1KB

MD5
6e8d259daabf1168ae5136a3de48ee80

SHA1
b015257e3ae0810ddbda53c0b12991161a863ffb

SHA256
13370a65ca7e31fbf3a133156c208bf99c01a54880d55a8a4500495683e3a47f

SHA512
cf3c564c18c6b0965a431cda1ed8fa97cbeeb839d992e48f77c073bc8054ead03b4823df381c5179d3d398877da3473b92d70ae905a2bd0c7e5fc45505340113

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\ui-strings.js

Filesize
1KB

MD5
88151ac4ebd7f5ff2d381c65e68cece7

SHA1
f979db4063d15ef2e32db3c38890899bb87c78e5

SHA256
c1ea4ada9462abd4ec352dfaf670575e9caff1e55d303db96a2f2500d50d92e8

SHA512
326195f5176beed6cc39849b8d6e87a5136c41a04aa76f53c30bbed1ff74391e16a6114e236f39d403c7f82fda032c00a9ee1df583412dfea224047e51f4c3bb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\ui-strings.js

Filesize
1KB

MD5
60f1a26612dc049ce3e00fe917b6475d

SHA1
05791d089cbcd759088adbbd9483433dc9a10206

SHA256
8ced84488e1ea81e8cc3ec1a25f5b849de902601bef557b6ec65f9de2982bece

SHA512
06f080a9df9081a2bfd557165f9c21cf2bce3ee161c0896a9f9a6e0f8a3ae545b1cfaaca9ce1d46757dbe0163ddd0421bdb51558ef092dd0a6e5c2052ead4706

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png

Filesize
683B

MD5
ea321d33cfeb1d029794bd01c5b78e85

SHA1
4e04b2d8f7f23f44f96f4bbf134233e1feb5e28b

SHA256
3add439f478220ce8001abf2543810144a0d80f8116bc0ca13947c9745983c55

SHA512
f574d12330a668d89402265cf5a859a76325ed548e1730e02f51dfd36e3d5dccf2c8b75a76a8c931597bfc130a42364c73eef0200523d4eefbcf4fa5ccacddea

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png

Filesize
1KB

MD5
a660ce180dea34b4944d83569f4789bc

SHA1
e3ca7b90c8bd299c49585bd29bc3fb7494c0fa4e

SHA256
03ab6f2f396e0531f1b1299b61485408cff93f183942910a7d0d5f0c7a666bd8

SHA512
9de185c0e6a8cc49852ebb454a00a7a19f5382b358327d393a6952b32099036147c1eb799cc60078bf24477e9607a1b4c88288a213a8ffcafd8d60caab0f0720

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\root\ui-strings.js

Filesize
1KB

MD5
cdc58b2bf0a1a34f96af8fdcb62dc30b

SHA1
69eb0d674e9830e81cecdd610792225a2a5dc265

SHA256
3b5888b652cd86408bdd59e86405d3f171d23132059228544fbe693cfcb2b73c

SHA512
d8ef3220b8984f759347a0e83eb75939c914bf865db492d28e226f113b469a97325befa008886743aeae2e0f32c74c0a1e7ce8b60eaf5949b51058a618daa502

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png

Filesize
445B

MD5
55c2b47c9aea50661a855fe91eb8ac32

SHA1
13ea23a51394ea2c13420ddac1294eae6f82f846

SHA256
ba5a59d879c1f6543b46085d02f5c90fdb22e663487d3586b6533cd887c83b72

SHA512
947da2e85f5c21e7847f10d727729915973c911a47de233ef1fb97f60ae41db05f4c8c0ee655e3aa264db2067763e4134b76279f1d3ea8ad43640a64176522a3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png

Filesize
611B

MD5
808e7aedbb1da793b86c92816309035e

SHA1
b4a2fca53290a35ae222f2cdf80f68ec7eab51e6

SHA256
a90f0edb8324760029a5db9f641b05694f8717c25514b2d6abde7662c827e0cb

SHA512
0af4e6a83661378b618c40de02c6cb7244be544dcb02f1f14c83b6abd791fa0330b6d508c86f0ba8e345608639d8505a2f26d3a6d3ae201bb01319c10c212d4a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-il\ui-strings.js

Filesize
1KB

MD5
5c1dc195043bdea8525930a9882c10d7

SHA1
17415e551255ab016f7682d7b33451cfcb91e687

SHA256
019bad9e72430b758828953e3310007695c55fed1d25fdd707c76fec561f2bc5

SHA512
e912b84e9b4856864d302154b68adf6822189aa78859265cf8f529279e77a9d7c086452b4527ebb75d9c910ad9a6a1e95e1f45498fc168628da80739acff742e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]

Filesize
162B

MD5
8db5f9dff9d857a8827ea6d66fea4880

SHA1
ef5de087109543e49ee7fe70adb49efe27e15121

SHA256
e8c6ae3d3f05d53d58200db3f31383861d434c6abbf66f82e925321029058a10

SHA512
70723910b4bf8814f848e10390378d53d9fb67e8a319edb708edc41b5c858c1d2cfc0b86a2909e33f72062df8b32e70554fa5ebe7aad7ec474ad78087560069b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\ui-strings.js

Filesize
1KB

MD5
4e6de5201d795432e75c0628dd306b26

SHA1
80ae62145f6bc55c2a25f68ad9d6bc9fcae496db

SHA256
1265f683d27701f95b545e6201577fb4eadf5dcfbc1fc8cedb8dd39635515788

SHA512
950227253fb845bd9a4519a209d72404760492473bda8101d846ded18aef1a2f6f6ab99b1b1b2186c0eed423c151c089316e124384f214644632e6a0f4dbece3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\ui-strings.js

Filesize
856B

MD5
fc4cdc00064f47d2eedf58bd02068fe1

SHA1
cbb7157d8c560e9b2cdffac3a2b831202d76d2e6

SHA256
0e8fb0e6e1dd239a2a1996059914a5ec5e753782527c1a07c62d808eb77df3e0

SHA512
753d312596fdd24d3ad87b7916c5d108d185b42beff7c750099aecb38c7a321ff04260c19492d18cc27cf8f8843c6b3facde0934e67a46e9ce4291c3646abbe8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ui-strings.js

Filesize
1KB

MD5
c5596fa17e59cbf92a2ea2e1ad5c6f8b

SHA1
4153a71b5750685afba568403ed7522e83a9894f

SHA256
5812ebbc6311c0ff9919a27137b22435cbca3cb9fd56959b44ddb82f93609b99

SHA512
762580962300f0e0501054450772ed59cdfec76d7aa6b1944f557ccd74ec2fcd171ffd67765f2b367c526d0193eabd184f0d4ac1dadb7a0d25f00f9866f670bc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-cn\ui-strings.js

Filesize
850B

MD5
26645133c9de7799e35cee0e47b82ee0

SHA1
bb6be735f6814d765bbe6b3f3ce034d1767366c5

SHA256
1180e5728ff28a49eec43c61f15d49541419e79397ae58479db67b533d292d36

SHA512
c466dc886b25fea5a0e16aec28a4e784afe797f3937c7863788d0e5fa41414346bb17546d49178a48815debcca50aec3acabadc1f508fe0a3207008bc722608e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\css\main-selector.css

Filesize
802B

MD5
89728f1ec13231dd11d2ea20afe39d67

SHA1
b4350cd128350483be389b2c865633bd1ae0f78b

SHA256
aff85e66d5b690dc0188f4c2348ca78abdc14605286128407242a4e91a684754

SHA512
58203e9c3898367c78c6d10fa629c0bd2356b2ae54e225afbcee83be1d5d297977a5a9633e773ffc2b8079a6e2eb2aa0afc530c27d29f512af40d8c9ae539adb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png

Filesize
179B

MD5
a93c09c1a326a8733b4eceb713ca7457

SHA1
90ba7a4c24bb0d424abda46b736170ea3b43e541

SHA256
d03f54aaa9216f4e32053928ce87a317341232f107140c84f73b2b6490b5a81a

SHA512
432c3400257d00391baa255d32fd03e0b8c97231d684ef35534868a38bcbf9cb70b433eacfe154c25fd3376e69592a7000a823535700f353975572c5101a56af

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png

Filesize
703B

MD5
cc62ce00dfbe76fd8affad9c89fced8c

SHA1
75d64cc57ff45a50c066f882bfd8e3845f8fa323

SHA256
e324ff224bfa2baf51d4ab75f686195a76b8c984676c450ed660eb9ca2b36f4e

SHA512
028056e42f0eb02646752b351bb04a6b9f87ff27a2e1060b4fe4d4867118fe90f42f555ea8c645361963405583005ec4f3802c7c57729fc8616df1af09cc94dd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-gb\ui-strings.js

Filesize
823B

MD5
fa904cdf440c6743078637992d58489f

SHA1
6969f407be2a1b52c5a41be256433026cabf9917

SHA256
152f6d0325802be61521bff49a8dd07063feaffeb2447d3ae6f47adf214cbffb

SHA512
c6237e56225d36d26ed594406a5bc08987bc34fac8d425dac8f909512ff19e6a27e1566651c591a38c0a5476e74dca09beb53ec15d4f08b6de2843fa064cbd3f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ui-strings.js

Filesize
1KB

MD5
573dd292166f86741bb965ee068c3793

SHA1
169fcf0880c7a2c5993f5bf28ff64cd9ed441dd9

SHA256
ab2b7de642b66db6e6b610dab8fb3c94c972465e07b7f681127c40a6629d8c2e

SHA512
0217d582d827a7b6faa950bc726d41c4c7644ba11b19689b9e5eb60cf54df4afaefcf4eac3649e8315dc1134988dc71abcb94bd9a640829bf9d68a6ffa17241b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\ui-strings.js

Filesize
924B

MD5
bf70043c03230a91bb5b402e7ee67e63

SHA1
2ec8302c3ebe1e34abb5e0c813abceaadfc5073c

SHA256
a8b45a4c0a3adae007e8ef6b3a0e9966d2ad0c552320210a778109e2799f6c75

SHA512
ecdf54cc56de9c49dec1e9e65aefa736201904e609474b13d089f188bf35ae46b62d1ba492f4c25ad3fd7ff584a1532be18c0115598c2deaa834b22e6e52a601

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\tr-tr\ui-strings.js

Filesize
931B

MD5
7adbce4bec815b574ab3fc6d85eb1937

SHA1
7d14e52fc6aa5796996988e9feab97c31eab1e0b

SHA256
efec14a7f219aff9e96c136933c0316abbabfa082b5755a86b2745c0a8423a79

SHA512
4218fc7991ef7ab93b1fab696432fc0130f07c534b2da244ce3370e6092213db657505af8380e7a07576b16b19d7c1b58f6a5498122d73061a362162b31f5b18

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fi-fi\ui-strings.js

Filesize
1KB

MD5
478f0065e127108d705114b29fb9170a

SHA1
3d954983b0594275bdbe444336baad9517129b79

SHA256
1beae6b25a652882189f27e3b52232bc3451a54eeedf3e5cb0eb827fe15032f9

SHA512
4affd4e7c23c555d99a5a1a4ff929228af723961c6cc1c320358998fbba2528e2d84d5c64a5c28fd6420ba3132fad056f2388538086d061510d80e244f7b3990

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\eu-es\ui-strings.js

Filesize
851B

MD5
661fea8b99a08e2422d8b5b9bcfd9921

SHA1
54a78f38a3599aed6d27c6fc711d7af7a205c524

SHA256
60624904ad10defbfcafa3acd5dac4c7c5040edde23bff489b6b32ea5a1403ad

SHA512
69b58c6c99f494ca1b6f2788cd17b63cc9f583b0abca870f666aedb9c504f660b03df699b69828c8ecc43a747297042eeca7e197de96dd43defb7871e2289b9c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\ui-strings.js

Filesize
855B

MD5
3dd77972f6558af4969a57eb4f19f2d0

SHA1
d56f6ebeaf408c667bb9491845a33ddc19d18947

SHA256
cde2dda4b1709d6591356e21717833ecf9802dc119d719e9dbbc97b090158644

SHA512
68f15867e6b29cce5415ce31203cc3f1790869f85d1b1ba8b2912e9b1b570f61485e5e9aac96d9bcc069e81d298b56d8941cd94a1df72d07c7508c7fdcc7ef1b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\ui-strings.js

Filesize
849B

MD5
95e6ecbe44dc4ab34323c697c6568b56

SHA1
0ca5debc2a7b53245ae6b7d6594ba93b3152bdee

SHA256
d3bdbdce059d04ec6e336179e6262bc694def0fcc5fe4b006953dbf178dbb30c

SHA512
af6262bf0a2b16fbd1dff7051eb0373336781c105b63631080ed2b6d38f54adbdbd16d794917fb9ad08c9ee238e0d4df732b7ef3e4c6d521a6b347eb8c2e9804

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ru-ru\ui-strings.js

Filesize
852B

MD5
4fcc8af63d8fea1581c1e96e9436e913

SHA1
5c09be5c84dba1172a2503a3406223baed06f8bc

SHA256
bbce03b612d22d42e40207a0ac4b6492ab0ad8c2cf4690377929f4cad738954d

SHA512
4bb1df7206f7fee79df361d678cd250399efff9d13d3435448170efd515abb425fcbf3b6ad9d0c6da1b4a7860d33dfd15daaa199e96dcdd701afb3b80234f2d6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\ui-strings.js

Filesize
1KB

MD5
21a5d65fbcf76ed1b8e9489d3bb051f7

SHA1
dcfde89bb81642e0b1bcb2b4d8c0fe574e912950

SHA256
f054ff5e3f41e79c647bd03dc9ad1bad42f8292c7e7b839088faeb8abc182ff4

SHA512
566bc1f2c5f4b2b9888c8e414552c25609d2562e10a8abddf6f036a6cbe2bc7644cbe850311224c25db96380c0e11fb07800f965305f41e068968bee530c320a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\ui-strings.js

Filesize
1KB

MD5
0e038344281f0aa0a74103dd77048888

SHA1
163a5a2d3888eb23ecc17b53865742f3eb7aa3c1

SHA256
f3a76de64a79cd7afa5438bb0a4f4330a97497246fe00f7b29fb690e2ffe32cd

SHA512
5988b04142669c005728510cc0a0c7507a9b8561b9d3178e3ef06b77a725e5e3ab7c13faf2998522c601285e823d3f72edbe7b93ba6b14a9c5afefbacb974560

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sv-se\ui-strings.js

Filesize
1KB

MD5
c4b091c93a4910ecfc619efdf3c56111

SHA1
4147f571dfd1d77b6a6943c57784820bd0cba24c

SHA256
d30e4139d68728b1c0b7c0fdccf649fc98c269f0d57c08e1d2033c13f162c29a

SHA512
b276ec16ba3a0737c8958a7373c3b5b53d384432535e65ee5651dce90da0eaf7dad1a02479243efb0b5ea78234c0f423ebc10c82b6e28db557106b8a21db1964

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\dd_arrow_small.png

Filesize
289B

MD5
65afdbfd57a964a5525ef68ca68cb5f4

SHA1
986fd9886e54eaa35b90561c94b00f85eb758711

SHA256
322fa7539ee1552758dbb051fe1199a7b4b247ec8335fb35cabf043d8947466d

SHA512
88b2d9c205d6fa4fb7823fa118fb95c651977cbaf1b54445ced380d34541e5367a218de4335a341b3994839386b487fcc33718b749ab2e05678ae87e0da1dbd7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\share_icons.png

Filesize
1KB

MD5
2870d12e27e8a50bf66493145c06939a

SHA1
f4319fc28ae1f99e359b5cfbd4c8c69af67dc03e

SHA256
dd6fda1bd17d115065254a8af134a7906d8e15e2725b01223582c3add3240272

SHA512
39b2281464998cd9f3d87659cdf7f3f2690a82bb8093ac64d5141d837dd4f951514cf0fcbfc02a0102f3d8ce780805886a361c649d6df2347db60b383442e5d0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\adc_logo.png

Filesize
1KB

MD5
d1dfee6d7b14e63f64c349b2cae8ad27

SHA1
fd382215ff99c0993d8924f18ff7912b4835f4ad

SHA256
b63bba00ed3b7a86b6ed36ab7d6eede57656454e0a583b875d34ee19466714e4

SHA512
220e189bc67b20bef3f92da6dd063b12fd53436c6fa9e728553669e4d42dbe595c52801e68a929797c48dc56fa4ff47919aa3d065363ce881e207abc83f7de77

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png

Filesize
2KB

MD5
598b166da1d843121d50f9593073a15e

SHA1
e41c87d8fa9aa263dfe783bdd692556fb8e24f43

SHA256
c46d21ff4c32097f172b4e99b5794374ed4a1cb025040d157f611f43929e98d5

SHA512
107ceb56129c1baade5930cea77fdc9c53264ff06b92936a5823c483235ffce8ab4ca3efef5001c5cc16eb3351b663877e1e4184749ba33d785b4927fe2f2db1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png

Filesize
2KB

MD5
48a2c150eaa7d9fe84e7e31163e67495

SHA1
cfd5375b61328af47b784d2e1229c95c9355ce06

SHA256
ff1d90818c6ec24ad8dc4334bed7e72b3ceb9460cdfe3b25ec24d2b31b4c9288

SHA512
e6abeeb5ed043270c9148b58fa359d8536e0a9606aaed86446f3cc3ef14a855b711a86869d02fe27f50ef79b91895c77bc970c6ccf962caeb8311984c4778410

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png

Filesize
385B

MD5
34300ee4cd847a5329747c2294699c1f

SHA1
5e1086c8ebeaf9205517c82d8ae1711931ec48e1

SHA256
122650bd6eea6dc3c3cde5c472c78fe200967b33c6e3f3d2f394d8fb66c3acfe

SHA512
ecea239cb49cc1b9018e9d5bc34fa0d501cd9dc6bd7a8c01b8a2bfe9cb8d9baf805081d3705f0f986903a93a35a3ddcb852463bc2698606b556999cd0608ad6e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png

Filesize
1003B

MD5
d82b1439dcd0ea62ce3edcf6d36eac1e

SHA1
f5216b9a0c6b294584b24a5fd50b43e79d46310e

SHA256
44f25bfcbff16b8e7c81ac93d6dcbc312035c81ba6d62e61d4177e23ef62dbff

SHA512
bc789786f1261ce50116190f56ce7da3063fb944af6e5da17fd0a61e51d3d25b11fc09a83d2fd1805e16f33c2c469bd28d05366b8fff7faa85d3dd498e5e3d1a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png

Filesize
2KB

MD5
7d1b0ec51595563c9214ddfdec36f303

SHA1
bbb988973a8281943b5bfacb8ab03d97c0f0f398

SHA256
c915635ac032617e1acf87810abd8e8d9825c7e40a74245bc9efcf31d6da9da9

SHA512
709deed649d6062cf8c1ada7207b9c871d51a69a4bc7dc3c1408bd6a38d211ff53ce19a091cc4bb68a62eb00aa512afd07a33d314393812716391f04faea93d3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\ui-strings.js

Filesize
840B

MD5
ac24e253ff384d8523af43f5a93688f7

SHA1
beb4ffa972185300803e9a1f6a16ec062cec1015

SHA256
f49327d72a4888fee8721962d13a94571e349ba666a0e1354c4f49331e858cff

SHA512
9c559a1bdaae9172fbe9e6a9b907390041fd16d0382a202423e0d9d19bb0f2c06a7228d6bc17df943d4e927c0420f302982e0463755bfd5c0d6e4ecb65504a61

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\ui-strings.js

Filesize
1KB

MD5
cb05ff26ffcb30838de16f659f8d93c9

SHA1
f9e977e1f60be49be8a17cf75d31f4a7620827ab

SHA256
ef97178fce43f78773e1c57cebaadd55904a1e5d810f8f75219b23e92c00687d

SHA512
26fc3838e5ef5b638d974be02b6d8f76f7f4778b1b612ea9031c5a5b1cf4a421e48c7a667a1f8db55270c1c86c4e1ec469c8078dd0edaeec2df02fddff27a999

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\AdSelectionAttestationsPreloaded\ad-selection-attestations.dat

Filesize
63B

MD5
5f1c4bb2970471a5c75b7ba1dc9ee3ed

SHA1
0ec86b3f3ac34ad860fa8da56bcca03a54018049

SHA256
1b58d00f5b1fbd2a1884d666a2be33c2fa7463dff32cd60ef200c0f750a6b70f

SHA512
b973335129e4a8dd92d0984e16cff30899de8829be3c87df30d61a88e6bba8fe1767ffed6ee9a9e2665269cd6c7f3f0bfe8f9449cf16b924db57edfee8f12877

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\show_third_party_software_licenses.bat

Filesize
270B

MD5
44405fefe5799ad2b15f58cada9105d4

SHA1
9172b64b5fcce03c2798322d2fde6cb36726f0fb

SHA256
0cef594c2af7dfc584e30d1813f901aaa5f67c13f7b2141b2220d167abc651d3

SHA512
dfb392a59f57dc184e13ef5f759e0e21bbd36d253fed04971c8fdb42770433aeb778956e3df8625b10544d2fbff3b6ea666c68fe6fd63b3e48353c33f993bb89

Download Submit
C:\Program Files\7-Zip\7z.dll

Filesize
1.8MB

MD5
f4592d9c7f114d591e4b1faeca54f10a

SHA1
46dedbbaa8f09175822b4a4ba39b6c3d46bbf133

SHA256
633dd753b32e1458d78280440522f47424131fba4f94aabc2b8289285a08ddda

SHA512
7eb9a286582202b9c2d8ce27227a5985f72676e82d25b62add201a311b76ad5ec557b9670b006897f4720ee721f9a1679444afe0b2e277d1ba3df97610a47ede

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
190B

MD5
f0be99f92d8b8ad3d79c9aa580fc2f08

SHA1
a9ab5160208575c2c19277491406d5c95690a5f0

SHA256
e290cb91a6aaf54bb397c8f72d0bf5e8a70935ca00abde862e3d13fdf75fdbb0

SHA512
c9c2002d0f14f1d92924f80105c4b092bcb8de5bcb838179f2129b125fbcdf83f78ee80f44b0e26bab451c6fa5d6a29547a4933a92858e310dfbbdcee32f8cae

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md

Filesize
2KB

MD5
950ac8e007b49ed7acf1646758393817

SHA1
3a795f27aac36ba92f33165a6550cc7f201b3254

SHA256
4ab0585ac1cc953813901847e774a0a6e2542bedd0e5964cacf31e421455223e

SHA512
6bf7c6bdc1f802cdc8cea1d5a22de2e2cdf307411504499351fa5e9bdb7d1826c1968c4cc8bbb2fc17ea69850d69e0e2d77b76d29ad991813b598fc18ea0982e

Download Submit
C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml

Filesize
744B

MD5
c181d62d13f055127f354bb60cdfa03b

SHA1
6cbfcbcdb417807d7ce1ffeeaa2eaaf9b548885a

SHA256
d8dc1b9aa2aefd658fae2d9b6bf36318bdda72fcecba0538a1f121592b44e3b6

SHA512
62dd4c375f5e3299843c78dc86026da551a8a66c2c4cfac4003b8e4774ddd1cc36c130611c15182b61a472169305b75c845f17ec899e53250461867cc82abd36

Download Submit
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\readme.txt

Filesize
223B

MD5
dbac9649c4bd702f55fbd1afafe87c44

SHA1
0d914f4a809cfe400ca111ebfbd0ad552d500785

SHA256
b9dfa3b30224bd5eef298531c945d5f2f6bb978b7ef42e5ef09715a535172127

SHA512
86d7786b400303b1fb722689aba7e8ef6a01ad7e2776194c5d545a7d7357dd91e7079296790587210683db7f4385f98f281272fd3d1ad6770dabf401709a6415

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{5AC63DAF-B7F7-433A-A9DC-2A92EB065902}.2.ver0x0000000000000001.db

Filesize
1KB

MD5
8b836d8d3ea988668ddae3311f514a57

SHA1
af3199496b831b74bde630f871615ce5848f9857

SHA256
ac944397bb7351bf439ea8b7e6cf5863fed078383f3da0b7c92b53408fe680d5

SHA512
f205183db25237a58c6a33b9c83af86df3210fc7cc411d4638af9c856fb39a2795c99d612601bdf183101402ed6455b7949a9deabfb2b2262afe47dff0c17cc2

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{5AC63DAF-B7F7-433A-A9DC-2A92EB065902}.2.ver0x0000000000000001.db.CRYPT

Filesize
1KB

MD5
468e2f62cd4611a9109a2785b9917352

SHA1
57389b3f8ee7525251733db9e7adf7d0bb0b08c3

SHA256
06b7de1e82aab44c1476e145f2125358eff0e7ad9c447d1c347fd32cee06161b

SHA512
0dbada4283d54c6950d9cadc7967bada4b33c84a8f5408433a5ac3b2adef84826166236c2b26f80995dcb1fb658908127a82612bbfc7297922057aff6f08bcd3

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.CRYPT

Filesize
624KB

MD5
618a12e4495085ad18849d78ba5a82a3

SHA1
114b54bdd530e1d8d54434a35a653c63b7c9f7d5

SHA256
7af4d2584cbcadc9109cff44e68b10d9c3346c23bb661a1e2843e48eeadae007

SHA512
1eaa92506b5b0b40d637a2195961802d7550812ddea8ae44ae2e27807d659b830b8818d1aa4e584fba64aefc18e07f95590c620235e5ba7ff201f29e31230171

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\498f6229-2508-a7bf-d6fd-d7b590a542ea.xml

Filesize
2KB

MD5
29eb0301f92bda0d67f79582acadf847

SHA1
2c2ac90238793f699322833c2f8bd043cc29ddec

SHA256
221ce3a8c269f4dff433a9a8a9807f65d8fa7b302e640b245f7293a0998363d6

SHA512
61f47426e5dff09a432a7848f3d07cfb5f85cab6b327fb416c31223e6a5ecaaf3a3f065a6c4bf0a352fb4fd3c7199ae481c929c43da3d596000f87d7f6bd52c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\page_embed_script.js

Filesize
338B

MD5
e54914068570928febe65c8dc7fde287

SHA1
46d0a3754b75fafad74cfa0912ccf2d9457c14b4

SHA256
a4c65a576c9848bd6438ba704e90be3d2ea275f83de420608343f6a27691640d

SHA512
0a34db8e8a6ff3e67e1af3e63f062a2e7b8f43f8d74a620f130ed25bda34a3300003ea95c3a1ed86d4348a34e450548075fb3d914b87beb25caf4b430f84db00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini

Filesize
174B

MD5
ace3165e852adb8aedbeda2aa3be570b

SHA1
4577ff7e92850e2723008f6c269129bd06d017ea

SHA256
237f73d46d3501de63eae1f85fdf37e65ddced70f013b7f178d1ee52b08f051f

SHA512
cf77563b9295b191ce2f309e03618d1ab4d317f65b87dbecc4904ee2d058db06d23c20c199571b0fafb67ae5ec5166b76af0b7d8bfe3996b0dde9751e28f8c03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db

Filesize
24B

MD5
c7c6abfa9cb508f7fc178d4045313a94

SHA1
4f130f23896bd6d0e95f2a42b2cb83d17ac8f1a2

SHA256
1bda9f0aed80857d43c9329457f28b1ca29f736a0c539901e1ba16a909eb07b4

SHA512
9f1c1e438b8cceda02663a61a64c1c5fc6fb6238aa92d30e6d8d1a7b0cb29a8a6f26b63b9964ad876617f71ee7dc3c05205158c4ed4be327149652b1c6900825

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{565a40e2-a183-4c58-b33b-a2b7193e162b}\0.1.filtertrie.intermediate.txt

Filesize
5B

MD5
f6a6263167c92de8644ac998b3c4e4d1

SHA1
c1fe3a7b487f66a6ac8c7e4794bc55c31b0ef403

SHA256
11770b3ea657fe68cba19675143e4715c8de9d763d3c21a85af6b7513d43997d

SHA512
232d43e52834558e9457b0901ee65c86196bf8777c8ff4fc61fdd5e69fd1d24f964fed1bf481b6ef52a69d17372554fecb098fb07f839e64916bdd0d2abf018a

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads