hxxp://www[.]free-pdf-creator[.]com

Analysis

max time kernel
1169s
max time network
1171s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
28-03-2024 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.free-pdf-creator.com

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
672	free-pdf-creator.exe

Loads dropped DLL 4 IoCs

pid	Process
672	free-pdf-creator.exe
672	free-pdf-creator.exe
672	free-pdf-creator.exe
672	free-pdf-creator.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	free-pdf-creator.exe
File opened (read-only)	\??\Y:	free-pdf-creator.exe
File opened (read-only)	\??\E:	free-pdf-creator.exe
File opened (read-only)	\??\G:	free-pdf-creator.exe
File opened (read-only)	\??\I:	free-pdf-creator.exe
File opened (read-only)	\??\L:	free-pdf-creator.exe
File opened (read-only)	\??\M:	free-pdf-creator.exe
File opened (read-only)	\??\S:	free-pdf-creator.exe
File opened (read-only)	\??\V:	free-pdf-creator.exe
File opened (read-only)	\??\B:	free-pdf-creator.exe
File opened (read-only)	\??\K:	free-pdf-creator.exe
File opened (read-only)	\??\O:	free-pdf-creator.exe
File opened (read-only)	\??\T:	free-pdf-creator.exe
File opened (read-only)	\??\X:	free-pdf-creator.exe
File opened (read-only)	\??\Z:	free-pdf-creator.exe
File opened (read-only)	\??\J:	free-pdf-creator.exe
File opened (read-only)	\??\H:	free-pdf-creator.exe
File opened (read-only)	\??\P:	free-pdf-creator.exe
File opened (read-only)	\??\Q:	free-pdf-creator.exe
File opened (read-only)	\??\R:	free-pdf-creator.exe
File opened (read-only)	\??\U:	free-pdf-creator.exe
File opened (read-only)	\??\W:	free-pdf-creator.exe
File opened (read-only)	\??\A:	free-pdf-creator.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	free-pdf-creator.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	free-pdf-creator.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	free-pdf-creator.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	free-pdf-creator.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133561207431286016"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 8c0031000000000055582e7e110050524f4752417e310000740009000400efbec55259617c580a8c2e0000003f0000000000010000000000000000004a000000000025a7c300500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\NodeSlot = "4"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	chrome.exe
Key created	\Registry\User\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\NotificationData	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000200000001000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 19002f433a5c000000000000000000000000000000000000000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "2"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\free-pdf-creator.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\download.htm:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
564	chrome.exe
564	chrome.exe
1396	chrome.exe
1396	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
428	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
428	OpenWith.exe
428	OpenWith.exe
428	OpenWith.exe
428	OpenWith.exe
428	OpenWith.exe
428	OpenWith.exe
428	OpenWith.exe
428	OpenWith.exe
428	OpenWith.exe
428	OpenWith.exe
428	OpenWith.exe
428	OpenWith.exe
428	OpenWith.exe
428	OpenWith.exe
428	OpenWith.exe
428	OpenWith.exe
428	OpenWith.exe
428	OpenWith.exe
428	OpenWith.exe
428	OpenWith.exe
428	OpenWith.exe
428	OpenWith.exe
428	OpenWith.exe
428	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 564 wrote to memory of 1924	564	chrome.exe	78
PID 564 wrote to memory of 1924	564	chrome.exe	78
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 2392	564	chrome.exe	80
PID 564 wrote to memory of 1952	564	chrome.exe	81
PID 564 wrote to memory of 1952	564	chrome.exe	81
PID 564 wrote to memory of 3744	564	chrome.exe	82
PID 564 wrote to memory of 3744	564	chrome.exe	82
PID 564 wrote to memory of 3744	564	chrome.exe	82
PID 564 wrote to memory of 3744	564	chrome.exe	82
PID 564 wrote to memory of 3744	564	chrome.exe	82
PID 564 wrote to memory of 3744	564	chrome.exe	82
PID 564 wrote to memory of 3744	564	chrome.exe	82
PID 564 wrote to memory of 3744	564	chrome.exe	82
PID 564 wrote to memory of 3744	564	chrome.exe	82
PID 564 wrote to memory of 3744	564	chrome.exe	82
PID 564 wrote to memory of 3744	564	chrome.exe	82
PID 564 wrote to memory of 3744	564	chrome.exe	82
PID 564 wrote to memory of 3744	564	chrome.exe	82
PID 564 wrote to memory of 3744	564	chrome.exe	82
PID 564 wrote to memory of 3744	564	chrome.exe	82
PID 564 wrote to memory of 3744	564	chrome.exe	82
PID 564 wrote to memory of 3744	564	chrome.exe	82
PID 564 wrote to memory of 3744	564	chrome.exe	82
PID 564 wrote to memory of 3744	564	chrome.exe	82
PID 564 wrote to memory of 3744	564	chrome.exe	82
PID 564 wrote to memory of 3744	564	chrome.exe	82
PID 564 wrote to memory of 3744	564	chrome.exe	82

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://www.free-pdf-creator.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbc9cf9758,0x7ffbc9cf9768,0x7ffbc9cf9778
  2⤵
  PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1848,i,14975043152087377534,12996999942354163955,131072 /prefetch:2
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1848,i,14975043152087377534,12996999942354163955,131072 /prefetch:8
  2⤵
  PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2164 --field-trial-handle=1848,i,14975043152087377534,12996999942354163955,131072 /prefetch:8
  2⤵
  PID:3744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2780 --field-trial-handle=1848,i,14975043152087377534,12996999942354163955,131072 /prefetch:1
  2⤵
  PID:432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2788 --field-trial-handle=1848,i,14975043152087377534,12996999942354163955,131072 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4496 --field-trial-handle=1848,i,14975043152087377534,12996999942354163955,131072 /prefetch:1
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 --field-trial-handle=1848,i,14975043152087377534,12996999942354163955,131072 /prefetch:8
  2⤵
  PID:888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5420 --field-trial-handle=1848,i,14975043152087377534,12996999942354163955,131072 /prefetch:8
  2⤵
  PID:3884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5436 --field-trial-handle=1848,i,14975043152087377534,12996999942354163955,131072 /prefetch:8
  2⤵
  PID:3188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 --field-trial-handle=1848,i,14975043152087377534,12996999942354163955,131072 /prefetch:8
  2⤵
  PID:4112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3212 --field-trial-handle=1848,i,14975043152087377534,12996999942354163955,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1624 --field-trial-handle=1848,i,14975043152087377534,12996999942354163955,131072 /prefetch:8
  2⤵
  PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=828 --field-trial-handle=1848,i,14975043152087377534,12996999942354163955,131072 /prefetch:8
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 --field-trial-handle=1848,i,14975043152087377534,12996999942354163955,131072 /prefetch:8
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3084 --field-trial-handle=1848,i,14975043152087377534,12996999942354163955,131072 /prefetch:8
  2⤵
  PID:900
- C:\Users\Admin\Downloads\free-pdf-creator.exe
  "C:\Users\Admin\Downloads\free-pdf-creator.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Checks processor information in registry
  PID:672
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.free-pdf-creator.com/lps/typ/?offer=false
    3⤵
    PID:688
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffbc9cf9758,0x7ffbc9cf9768,0x7ffbc9cf9778
      4⤵
      PID:1448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=1740 --field-trial-handle=1848,i,14975043152087377534,12996999942354163955,131072 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5728 --field-trial-handle=1848,i,14975043152087377534,12996999942354163955,131072 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4840 --field-trial-handle=1848,i,14975043152087377534,12996999942354163955,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 --field-trial-handle=1848,i,14975043152087377534,12996999942354163955,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 --field-trial-handle=1848,i,14975043152087377534,12996999942354163955,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 --field-trial-handle=1848,i,14975043152087377534,12996999942354163955,131072 /prefetch:8
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=6132 --field-trial-handle=1848,i,14975043152087377534,12996999942354163955,131072 /prefetch:1
  2⤵
  PID:3448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5400 --field-trial-handle=1848,i,14975043152087377534,12996999942354163955,131072 /prefetch:1
  2⤵
  PID:2440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=4444 --field-trial-handle=1848,i,14975043152087377534,12996999942354163955,131072 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=6036 --field-trial-handle=1848,i,14975043152087377534,12996999942354163955,131072 /prefetch:1
  2⤵
  PID:1724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=4844 --field-trial-handle=1848,i,14975043152087377534,12996999942354163955,131072 /prefetch:1
  2⤵
  PID:2160

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2532

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004CC
1⤵
PID:3108

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4452

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
9f274285cb69b93ae671f679de48999d

SHA1
45737398ee1962230a835dfffaef7a2ffb02bad4

SHA256
65c815cbba22347a46b9355aed50cddea336290ae4d6ea3a8071f991d6613788

SHA512
2bc175cfbcc2720b7d7c775f6d26233889ac65b8a9b68767e91f9266d52e2e02eb33a799e1f2c37f899c059fae703d4c51de8ac1f5cf0d01c38aef60fdb47ffc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
4c676d4fd4a47ba04fdaddcef4faed06

SHA1
fdaaf9dcd3470050ece41b7946c4667846fd6be9

SHA256
a955c4af049dce170cf76d8194d860664f244ad45e5cacbab3b2dafd77365302

SHA512
a5feeeb43e5687b0e6875de7d371f030c712e48c441b9b2b6f4081504e01fb23249e1b0f039bc29e71106a474967b13c4d47cb55fbb1472f8acb202959f8c2f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
057fc0f19d4bd6374776b5afa14598eb

SHA1
de4b1b69aefd3318f6a4bdaef615f270630e77a1

SHA256
f24e881c77a19720f3496bc10dad67b62860762a3e526b24757f9d97a7fb6a9f

SHA512
88ff5eb45dc1ff47413e4b42b1777c4eea93435c83010ca07b06ec44a390815b49edeaf08ab27a2b95a0527a114fbb009756a4e950edf42639142a2850d64b06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
074220ef0770488475fa497a5dfefad5

SHA1
7eb314aa74818474affc77307a3e6fda47b07ed6

SHA256
8c221b76ac8ae204984957f360a12eb1a73b82de7d2ba5e4f36216f909795414

SHA512
f633fb09c49473e2f78a31c3d2f547080f078ed6b8429a733c532dbde379c10e6f708bb1979a44858706361df5d5c91240bf59755fd8d3d2fc7caad86fbb6a2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
96ea90435c0f63073f8776a271677ebb

SHA1
303e6fe617dd5b8f86a5ea12d2dddd875b10febd

SHA256
c8c41af7fddd1c7086126eb0df2eef97c829a7b647ae9f2deb944e9c9a58d319

SHA512
2b42bce408b653bcf2ab2ad9cc86a87d921a269c0b19ec46aec27f3c11a5110c8978383eb105d3b074711586a4264d704228c5022a6c924db1adf85b48fee6ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
3b96d7a93708900af1106a49433d71a9

SHA1
b04bccceca4006b1095c08fbef1023f4a9707fd1

SHA256
835ac22dd9df487276dd0e1c30aa45599bb539a7133f69d741522b0fcdfd8ee2

SHA512
bc26995ade40e476dc5b95d3e4c9057405f79a532252504d250da8a43b24315a3616efe6de32eab7159820808604bb51e0bc326253a94137a5cad895104ce8e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
bb31996f4e107043d7fcec542c8a79ea

SHA1
5d081b1ededd5f50d99384a9c5f7702c91547ff1

SHA256
8b755c46168bdf5dc0f5f80330a53d45cc9f7b86538ed54e2e803bd8ec33fdce

SHA512
5de2be13ec6733b23b5c31eee58c71189255737f91688c7a499e27a4b9f641ed76b59b8867f1d30123e859b0f0c441d68aefbc5a71d4e816b0fdf558d55f6a21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
facf3f68983e93b99af5194de1d21216

SHA1
5d768942f465c876a658c35bfeb54fb9f0304fa7

SHA256
20861e7b822dc9ba6662ff170f8efa55ff56374b03c47bbd42def144e47e132c

SHA512
84e223e0b1a91935fded907f442e9d6630a639a662f9f88dba2b9681c411655b10852d04a109ad036cdfe1178a984f15a79172a64935bbab64e66d4e9f7e1d37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
100e86660a75e17a1ceaed3a869d7455

SHA1
46322d3f494d7df0c1f798ee31d152aef913d2de

SHA256
22f81a3537e9268c1789fdf4909865e4d87a6d4a068e86fa4f76b2dddea25d62

SHA512
79dc4338d8fb09211c697ee2fafc56e32582c054a90442b5173d59c50de930a38eb085864bc6185688931f072c104647d1c9034e80206c7637ec490af6d0791a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
870B

MD5
81adff0b9b48d7c92871560c6a0d6d35

SHA1
4cbd220b72cbae200271e4d4398ba33879f6fb3c

SHA256
1cf33db3047c519ba8c9dbe97afe634daf6aedbd055b422a2646f070e1dc3f36

SHA512
aa6bad9158da111e0fa7aaaef5280faace3a1738f7a0498284c7b9c538519db562306c805792032ce8f2195fe542e4345ee66643b8444ac32fa411b29047fb5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
872B

MD5
e3c33ecea09801f0b8707b1519542211

SHA1
e85f7b734f8b3cd5ef57bbddaa79ae838d71c8ef

SHA256
6c2ed472fb75f47d20df11dd0247b7e918c836a00e61ae5d0e6987283e1429a8

SHA512
de1656e93c6ac75d68deb2cc9ea3d457d96a4f3caca25057c3b28b0b88ef446daa2fca2b9f35859bd21017510746911c4c49722f18226be496393d84078382d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
2fe9fc23396094cc2ea7818bbf0be963

SHA1
67e2934c98337a0dd8e70e555994c43590ee3c62

SHA256
d8f5adfdc0c27ee5358bd5c4b5e38f23b242451fb61fee2c27afaf1a4844609f

SHA512
b67552a0e5be12d39d5a046a44cc8b948b038137ee1c009d003bd6f2930db1b0a6e174817d2a11534d684be9e5da06893d9b17683ccdd3fb38b5f27ba2048496

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d4b39aea8975d01b53799e61b7848a58

SHA1
c4a19cc280874422cd46d8b8effa62baa1115329

SHA256
18b4ec3d115ce4cfd75e209bccff76c63e3e59bba26b07c89f6612c9355e4379

SHA512
22266eebc8c4ad17aee418d9d4671d9aac5679046c2756fc0f08b12bb227704f4992fb68c6f81210cc17b015136550a6d871d68a255fecfa8d886062e4fe0584

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6377f0985a19151cdadd99c87f7adc12

SHA1
863f41ffc4e8624e16b082fbf378159c02c9c93a

SHA256
52f8248f9ac49334c26992a6af7ef1e7b9a8e5254ee8cd3cf26d5e97238c5aef

SHA512
257620850b35419e631886bba45af79c3ad6841af15a0e90b84dc55855a2752ec2a7ef69e596c96fa7edbf523f2befae68e5f5eb03c6813c8b3df018ed65d643

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
046a9ae4136955a47b9d654d43d11323

SHA1
bede1c843f5cb2a84b05da73f7a4b893e5d02329

SHA256
edb9cd481a5fdf17cc53310e2bb2ede50267b63193355bedecc9a19c36d27455

SHA512
8b10ce0fa0c2a82559ad723373e8c81ce96b268f68e4610d0e6de4ecbe169d6b231a8f609e59dbe4f3432dd75247e92039dd691a7a99d5dd2f9b3f6c3613656f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f6ccee2cf9d03498499d5c470a7559ee

SHA1
be697c9dc175e6538006c90fa4b6087e108b31c7

SHA256
663b3625a4a748d99947eb480263b784899320588e5cbb33316f2ddfbe27e2a9

SHA512
1a6212edcacf8a95d4797f785c75d5acfa2569f5629aafafab215207884c108af79a2894b02b83684c044212af78b4c457357545e55c498c78408ba18223e5b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5297dd208ed755c528f38c33e1e8052c

SHA1
411f2f293805ade9dc351a1f2e868c6890db9e1c

SHA256
068ea7f3de483dddaf072540f7ad2659176f7f84b025844d51df038b635e0d20

SHA512
a69278ccf210c581e5fabb6823af258429653ff96f3308792967e80215f44604c26a636538a1d3a4591071620daae1da1aedf19a93c146dbfce47fd693b4a3bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e9ebf5121b8ab2e4d67003bc78451df6

SHA1
6b262b8b01f0cb7255c05460190a4ccfb0dbf065

SHA256
d6a8b00688d55b8876bb1a2c634ef1ba047ce26c3da8b2efc3770a07ad6e4d8a

SHA512
39dfaa901a768b6dce59ec4987ccd8a89c605b6220aa5a2b539321521258a7510b7bf1a27f5847a610cfec61550ee58683bd32e246af257ecf054967fd5f1ecd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7ebc3efeeea3928763597853f61192bc

SHA1
d1bfe326654d144d6d34e421fe9473fb37c199f8

SHA256
26651c8ab32b0f3a05c6e4b13211f08a0f6ae431dc01793dde64c50dc1e33fa8

SHA512
ae38b87a35157821f53e5bca964681c4618583e72bf652637b5411e15016f58549ca021afb125fdea2b0b130a8cacc396a802c0168a0ab01305dfd9df6a83105

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
e58f0cadc297d330f930bf9bbe4e2f99

SHA1
119cf0580f76da616bb54dc00510cca0111be5cb

SHA256
103a402101295efb1cca3c5295832361fca57a487feafe127ecd0cbfa078af94

SHA512
42e19f88bb3e2933a24e7d76c9ab3ec6f22c8687a53a15c02ccf455a3e7e5f42ed0560dc8d49c64002143f7889776fb388cf0d3a231823a5b7627cc9d839a9ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
f80db42720dd3019490f32db988153e4

SHA1
af6f2bf67f40b102388a9aef2af472ab6f34dc4e

SHA256
a73487ff57c31dc7a1e8f0575e94fd2f54e3b06cdb0dc875b4ad91b7b0d2a881

SHA512
afce8b7e81d037529def217a0eeecb0b1afa3ef2c76367f65757d52313ab234f0d9007a603f0e2f15b21e1d7e027ae9bcb17e031ec78d7ae26f16e9da1be089a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
355c54f89ff31b0b34ff2ca0f0014ac2

SHA1
7412c48711cd48343043d94936af2e83ff6052fd

SHA256
71890103169cf0e672c018c98a059b482c6ef24f83b4f38ed76b542cab966a5a

SHA512
fff0ad33b32705d8cd35c800020fa7d216f9e215d78e1937631882e8ac40a244747550fe4069a730391c64404ae9e57e6c9dbc0663895a8b3898082cb6b1eadc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
6c32609d8e84cf6a4a6d398320d544e7

SHA1
1bbdf4eb0bddcb9a9645f34bb8a3b7f2570dedb2

SHA256
cecb482ec0f65348acaec9ed3ff561c772617af4086fef53fdc76658e82790c0

SHA512
b1d0d0f4f95407b78578cf5858623a012638fd7bc8a89cf430078dad4f6a885b962b9c97238a57883ea6a141c69a5fe86f1b73d18feda6f717dfb46f74fa2702

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
71e414a2ad6d0c87f8f1cadf44e1da4e

SHA1
f0b59812e1ae1764b956f58a757c5454d0e7693e

SHA256
a9e637ab9ce67415718d954efcfab2e59352c48ab5c7bcdf3350e6111f68edaa

SHA512
6d56e6618d79b86f43f05d51f5497d6a05a4d5f7b5ce5d7d65664ecedec253c6a96e93847b4477ad961739a1184e6cd385075434cd2906d3bd33d9abf0eb6cf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
108KB

MD5
3e1aff9484df619cded6bf814fe03655

SHA1
c122ea779a32d7ccadf7403c4004d39cc3bae5a8

SHA256
3295ffc3721147c9185f30740db84fc376e36c08b0cc9d8e9e36d2132c9289ce

SHA512
78b74ae12ffee96d0a9c56fe4f14962ab9c90b10e3372e84be52a759ddca2db5cc75249fddeacda63ab9882485710e2a2fc39f1d5ea7598d66aae9ce5668d2e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
109KB

MD5
df94a7bb41d09cd58557c156365f5332

SHA1
0e8a8e5452904f5ebc5b124738d21af2f960afbc

SHA256
45520a1afa314e9c08755860e2fd4fc4e5f90bcd454b2da21dd67442b0e8715d

SHA512
b4c7b344c1de70e50606e420286ade1bb81d0366c010a9416e05eb629ce89566cb240b1bbbcf508a1db74e0390884889b23d0bb01af666ae563a53c4101a680a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe584f44.TMP

Filesize
97KB

MD5
c01574c182d4ec6f2dc568748a0826ae

SHA1
f266bdda6996c2c3aeaea6c929c2bd3860b1ed2a

SHA256
148a9799803cafc66ab7135fce7203a7d11a47df6104f379464b66a022bb0028

SHA512
7ee9587a94e0bdbf25ddec430cb321a03c0bb7dbcaf2ce62929e38b4841dcc8485d0bbec82e5cbfb8148f7c374386bb12ce957cd10e624cc4761227244c1610c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
1130463d3ca49591ad5d053379d7f654

SHA1
94f1221fc5e2945705133826760a6b529f0cf8ad

SHA256
1507695eda86532383e66466afd5b5fbdea2e7832e594c60d081bcb3d746e445

SHA512
beae456b3ff8d03ea366a1eada5df37b9c4201ee9b1a9b8874c126e2ed1b7b2e0ef0669f3ac7e8f92b7708e2455679572f5c28fb9edac032d463e0d212145821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\PDFConverter\FreePDFInstallerVideo.wmv

Filesize
5.9MB

MD5
5264b77b3172971032b0aa787a49424a

SHA1
0888408a871c29771eebaef48cb7d8810fc2c83e

SHA256
10fe19955c27c5470f23f2dc5295cb343a820a54199f24cf706579e08634f6ed

SHA512
b7e1c7d457707815a46d9c3bfc434650bc80b3d8c3f611b71da56cd38142a6c90bc28c3adaafe9fad68b5b34772e49e65a8cb869c7aa34c11d52aa116749eebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\free-pdf-creator\UnxCzsWLHexKO6G04Sl2MsL8ECU0dO8=\D3DCompiler_47_cor3.dll

Filesize
4.7MB

MD5
a7b7470c347f84365ffe1b2072b4f95c

SHA1
57a96f6fb326ba65b7f7016242132b3f9464c7a3

SHA256
af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a

SHA512
83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\free-pdf-creator\UnxCzsWLHexKO6G04Sl2MsL8ECU0dO8=\PresentationNative_cor3.dll

Filesize
1.2MB

MD5
61d5bea0ec706ff402f9793b46d10f8d

SHA1
60e1b35590cc507994c602de8cc9edac9ebbf405

SHA256
06fbc002e01111fefdf2153961cb715d71eb6ff9c86630511b1722997b0847a1

SHA512
8d1d3e3e8a38361ec487118db585be6dc9d16854eca01d1490590903c603af69d7890761ca2904f35678dd9640624873f96cfbc14f318a81ea063d2a42b3065a

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\free-pdf-creator\UnxCzsWLHexKO6G04Sl2MsL8ECU0dO8=\vcruntime140_cor3.dll

Filesize
116KB

MD5
699dd61122d91e80abdfcc396ce0ec10

SHA1
7b23a6562e78e1d4be2a16fc7044bdcea724855e

SHA256
f843cd00d9aff9a902dd7c98d6137639a10bd84904d81a085c28a3b29f8223c1

SHA512
2517e52f7f03580afd8f928c767d264033a191e831a78eed454ea35c9514c0f0df127f49a306088d766908af7880f713f5009c31ce6b0b1e4d0b67e49447bfff

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\free-pdf-creator\UnxCzsWLHexKO6G04Sl2MsL8ECU0dO8=\wpfgfx_cor3.dll

Filesize
1.9MB

MD5
f079c4e7ef98ce02e636b8e68cdfc07b

SHA1
256267d80d07e21d33d4707e47326cb3a00c2988

SHA256
161ebd96e6df07c96141794db51adfe6c300efd10ebf803bd839e685b1890fe1

SHA512
c3e44213d011433706c7451bf608a42271f124b787e17567e16d68975a23cb974b933ec5ce49fd70d28e6779afea4ad227b3cb1623c0ec4ca858ada36e9cd629

Download Submit
C:\Users\Admin\Downloads\download.htm

Filesize
1KB

MD5
5d7ee9949c760982cf1ae498fe212dd5

SHA1
997c35a813d3c54910e6333a3c939b9a52ddb4ba

SHA256
8ad81b2ae88937e7af85efe6e185bef3babc8e7feaf859a507728816c48eec13

SHA512
e82a10a3164fbdba27ffe3d28b594f475eb4d60fa60faf52ac35195b07cd027ebefd33e495c645a43eeebc58e7b165c9c1a0787ed4c0c157f10c5b9f40617185

Download Submit
C:\Users\Admin\Downloads\download.htm:Zone.Identifier

Filesize
100B

MD5
54cb95e305b37be35f25113e93ab3d92

SHA1
b6a592a910184fce93eabf0242249ba7273e6f1a

SHA256
2da86389941fb59b07a9b5b89a7f75df640ce474ee989d11a3f7d548c2a2f1b1

SHA512
987925010724427d8b8954afe35cb0a297928a5858e4983e233a521d8b5c7831660cedc83d2a5171226be41db93118f296ed6c39121df18f5adfcbec819d1860

Download Submit
C:\Users\Admin\Downloads\free-pdf-creator.exe

Filesize
146.2MB

MD5
935c9d4363062cc07b8edc01056f827a

SHA1
bc2ee232010e24658f365102824b70c70e4e086f

SHA256
719745be56e42e898d28aeefd254df630adba06eef3add08854b9cd9ae6b9a75

SHA512
16e8fa914ddcadb4c9cacfc49d951738b1b3d6311e9005e49fa1525295626329d773aa8751b799da1235bdc223c9290023a8a64934083786ff6d82cdc326ce20

Download Submit
C:\Users\Admin\Downloads\free-pdf-creator.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/672-228-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-259-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-182-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-188-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-187-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-186-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-190-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-192-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-194-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-196-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-197-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-198-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-202-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-203-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-200-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-206-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-204-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-208-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-207-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-211-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-213-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-214-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-216-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-222-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-223-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-220-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-225-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-226-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-224-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-219-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-218-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-210-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-185-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-227-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-230-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-231-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-235-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-238-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-236-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-241-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-240-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-239-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-234-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-243-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-247-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-246-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-249-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-251-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-253-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-257-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-260-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-183-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-258-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-264-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-265-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-266-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-268-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-269-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-272-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-273-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-285-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-286-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-289-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-290-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-262-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-293-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-294-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-297-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-298-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-300-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-302-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-261-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-255-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-254-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-250-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-245-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-242-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-233-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-179-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-180-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-181-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-177-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-178-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-174-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-175-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-171-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-172-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-170-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-169-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-168-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-167-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-166-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-163-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-162-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-149-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-148-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-147-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-146-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-145-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-144-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-143-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-142-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-141-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download
memory/672-140-0x000002AFD0960000-0x000002AFD0970000-memory.dmp

Filesize
64KB

Download