hxxps://drive[.]google[.]com/uc?id=1k3b1OnZc5mZQW1jqdRgWa67hYgvn-drh&export=download&authuser=0

Analysis

max time kernel
40s
max time network
41s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
15-05-2024 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/uc?id=1k3b1OnZc5mZQW1jqdRgWa67hYgvn-drh&export=download&authuser=0

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

4 drive.google.com
2 drive.google.com
3 drive.google.com

flow	ioc
4	drive.google.com
2	drive.google.com
3	drive.google.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133602803730403730"	chrome.exe

Modifies registry class 2 IoCs

Processes:

chrome.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

chrome.exeAcroRd32.exe

pid	process
524	chrome.exe
524	chrome.exe
4596	AcroRd32.exe
4596	AcroRd32.exe
4596	AcroRd32.exe
4596	AcroRd32.exe
4596	AcroRd32.exe
4596	AcroRd32.exe
4596	AcroRd32.exe
4596	AcroRd32.exe
4596	AcroRd32.exe
4596	AcroRd32.exe
4596	AcroRd32.exe
4596	AcroRd32.exe
4596	AcroRd32.exe
4596	AcroRd32.exe
4596	AcroRd32.exe
4596	AcroRd32.exe
4596	AcroRd32.exe
4596	AcroRd32.exe
4596	AcroRd32.exe
4596	AcroRd32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

524 chrome.exe
524 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

chrome.exe

pid	process
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe

Suspicious use of SetWindowsHookEx 22 IoCs

Processes:

OpenWith.exeAcroRd32.exe

pid	process
4788	OpenWith.exe
4788	OpenWith.exe
4788	OpenWith.exe
4788	OpenWith.exe
4788	OpenWith.exe
4788	OpenWith.exe
4788	OpenWith.exe
4788	OpenWith.exe
4788	OpenWith.exe
4788	OpenWith.exe
4788	OpenWith.exe
4788	OpenWith.exe
4788	OpenWith.exe
4788	OpenWith.exe
4788	OpenWith.exe
4788	OpenWith.exe
4788	OpenWith.exe
4596	AcroRd32.exe
4596	AcroRd32.exe
4596	AcroRd32.exe
4596	AcroRd32.exe
4596	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 524 wrote to memory of 2524	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2524	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2668	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2700	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 2700	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 4572	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 4572	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 4572	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 4572	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 4572	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 4572	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 4572	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 4572	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 4572	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 4572	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 4572	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 4572	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 4572	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 4572	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 4572	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 4572	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 4572	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 4572	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 4572	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 4572	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 4572	524	chrome.exe	chrome.exe
PID 524 wrote to memory of 4572	524	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/uc?id=1k3b1OnZc5mZQW1jqdRgWa67hYgvn-drh&export=download&authuser=0
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe88119758,0x7ffe88119768,0x7ffe88119778
2⤵
PID:2524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1772,i,14921260005473901620,1404440116347240584,131072 /prefetch:2
2⤵
PID:2668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1824 --field-trial-handle=1772,i,14921260005473901620,1404440116347240584,131072 /prefetch:8
2⤵
PID:2700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 --field-trial-handle=1772,i,14921260005473901620,1404440116347240584,131072 /prefetch:8
2⤵
PID:4572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2828 --field-trial-handle=1772,i,14921260005473901620,1404440116347240584,131072 /prefetch:1
2⤵
PID:1988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2836 --field-trial-handle=1772,i,14921260005473901620,1404440116347240584,131072 /prefetch:1
2⤵
PID:1860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 --field-trial-handle=1772,i,14921260005473901620,1404440116347240584,131072 /prefetch:8
2⤵
PID:1396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 --field-trial-handle=1772,i,14921260005473901620,1404440116347240584,131072 /prefetch:8
2⤵
PID:3360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 --field-trial-handle=1772,i,14921260005473901620,1404440116347240584,131072 /prefetch:8
2⤵
PID:1312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 --field-trial-handle=1772,i,14921260005473901620,1404440116347240584,131072 /prefetch:8
2⤵
PID:2776

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3144

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4788

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\ENVIO COMPROBANTES DE PAGOS REALIZADOS TRANSFERENCIA No 286921000.rev"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4596

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
PID:4012

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C509943FBEA2C73A503B8409AAC9CB49 --mojo-platform-channel-handle=1624 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:4172

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=89EF89F968CA6611E006A64F410E0CED --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=89EF89F968CA6611E006A64F410E0CED --renderer-client-id=2 --mojo-platform-channel-handle=1636 --allow-no-sandbox-job /prefetch:1
4⤵
PID:4148

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BB6DF4D5861C62C64459E35FCD37FBA5 --mojo-platform-channel-handle=1700 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:4972

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=94339AE5D4580E5966752AA6BDA5BE47 --mojo-platform-channel-handle=2300 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:4604

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3297163027DF4D2F57C6B04277362670 --mojo-platform-channel-handle=2432 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3200

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
51f16456576d79ff28b7405866bef848

SHA1
2077c637cbdbb53a9a485555b8bedb491ebdc63f

SHA256
13a731dd26b1fb92bf422648904580493fb77fd487257ed24e2820f1e3e83fd9

SHA512
1537c1994933e7e3e77c1daf69ec36ce6189c2719a1b2485cd5e30441b26be565d310fe41911e2ac83ec3849e67a89f114756f50bfac1978cf47c79b97b0cbe0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1018B

MD5
731427daa778a1ec38f264aac8181a85

SHA1
ba5ccaffb7e795277af729457356fbf768b95fb6

SHA256
1f30b39a53732ffc36abd5e547a5832f75e10939d419e11cbfa0c8d91a50fdf5

SHA512
5b5ea332bfbae58c1bd8c9405a37b6948af47909a86e55d77062d1168937bd7e6288dfe8bbb86fcfc929d4341580bd5f215aa0dfb0abc2e07aa6291ba45fc32d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
537B

MD5
f3bfb057eb795407f5a07f3c818f082b

SHA1
7590123a098344a446da7dc847172d6dbb510639

SHA256
e587655d9158d8c41c7642afb72c3a416721c236f32ac622e9b7f4452590532c

SHA512
63e855b49c2254df70da91b1229605badf6e994a87fc14b4f9c13c6c8622f9a6bf03b52b3e111d619c103e2bf6628412f1c2a245cab6dbc1bbadaaae3551ddfd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
c5781ac5ac13e9ce8334597817b0392c

SHA1
d915e901595b17f139f5755d325181233e364300

SHA256
fb295a113e07eb79f25dcd933dd95edd3170d099b5d35118a14efe7cae585bd6

SHA512
0d831f4b1f7fa0ed64fae15dfc630293242f7eae86071bf7b91f250ef7409462bda0db3022121577110dbf2d53e369b813e6959748d81598a3ece3cf92d28f2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
16c10d647251ab7681512fffa9a26b5c

SHA1
f32d3f8f329f356c466bc7e17639fd760df8d7c6

SHA256
1983cb2760baa011268213a9a53ee10ec66de9484cde0e866a1df7b29dd3a782

SHA512
7c209356e0428a725540fcff1497faf9e4fef3987cd4021f42fe844f9312507760d5b4ba9dc0601108d85d6addc05af8a33a2ee0495d9a42a595dd71eff1a87d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
136KB

MD5
6b0ac79bc669c68505efded4041d12c7

SHA1
63c3b60dd73987480f60dd283b91c15feb3a34e0

SHA256
e237857abf171b2d06cf76a35059d01fbb4f87acb1d443e197bdb6f5e7f7b911

SHA512
0b4f07b90a5066b61906ddd21f1611632632fdc868cfee158e39f1305d719b461851cea8c11de9d65fdffc8419ae0f33fb1394f26a065902f9272ed3e88c504c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
104KB

MD5
9022cb42f43012689480182ca5dee977

SHA1
26dbf10de33fc158702871aa3b20b6be3f13b280

SHA256
641f52fb8462371a6bab337c8386d78651277b3b249e628cf0a683409d1f9711

SHA512
8b44e073031dfd5e8aa322bda776f81dc19066fbccf89b10330235511f5d85590eb6c9de145fd122b04254c3ccd4e7999cf3ecd5d95056cff2b474694e14969f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57c9e7.TMP
Filesize
100KB

MD5
8e1a12506cb68f99f323cc3a13e25052

SHA1
96bb04032c94ffbd29cfcb950347bf0bcf3a100b

SHA256
3b3934ee44a91c304d34e1b8b377aaf003396dbce6ac64fedb977b1e5faacac9

SHA512
f775481611976da9e96a2bcd136eea904f30b73011b8c511b21edb4690241050b1fff087e52e9c74e964faf27e95406d03c70685e387c922c5edc47f84aa52e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\ENVIO COMPROBANTES DE PAGOS REALIZADOS TRANSFERENCIA No 286921000.rev
Filesize
4.7MB

MD5
be1c40ea4081585af6c5ef3a1760cbba

SHA1
2b42f0c05a22f102ef2f6ae38eca043a10aca3c7

SHA256
745db270f4f56d9734210064dfe9d85168cf6edb08102d209909d00bfd60c641

SHA512
e492f854cb55b49435dcf604602a55b5498548c2de4f431ddd13a72a31a34e0fa6e7266555e9ff9eefc8dc30346119d1138be104ad3afeb3c2a7665011d16e2c

Download Submit
\??\pipe\crashpad_524_MCCLQRBQQIQVBSKT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit