hxxps://drive[.]google[.]com/file/d/1Z3F36Gu-WNL3fGTAz_G1f4lS91NKf31j/view?usp=sharing

Analysis

max time kernel
113s
max time network
106s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
29-08-2024 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1Z3F36Gu-WNL3fGTAz_G1f4lS91NKf31j/view?usp=sharing

Score

6^/10

discovery link pdf

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
5	drive.google.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

resource	yara_rule
behavioral1/files/0x000500000002a8ac-148.dat	pdf_with_link_action

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133694436586934560"	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Tech Support Specialist.pdf:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4240	chrome.exe
4240	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
2172	AcroRd32.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2172	AcroRd32.exe
2172	AcroRd32.exe
2172	AcroRd32.exe
2172	AcroRd32.exe
2172	AcroRd32.exe
2172	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 3820	4240	chrome.exe	81
PID 4240 wrote to memory of 3820	4240	chrome.exe	81
PID 4240 wrote to memory of 5108	4240	chrome.exe	82
PID 4240 wrote to memory of 5108	4240	chrome.exe	82
PID 4240 wrote to memory of 5108	4240	chrome.exe	82
PID 4240 wrote to memory of 5108	4240	chrome.exe	82
PID 4240 wrote to memory of 5108	4240	chrome.exe	82
PID 4240 wrote to memory of 5108	4240	chrome.exe	82
PID 4240 wrote to memory of 5108	4240	chrome.exe	82
PID 4240 wrote to memory of 5108	4240	chrome.exe	82
PID 4240 wrote to memory of 5108	4240	chrome.exe	82
PID 4240 wrote to memory of 5108	4240	chrome.exe	82
PID 4240 wrote to memory of 5108	4240	chrome.exe	82
PID 4240 wrote to memory of 5108	4240	chrome.exe	82
PID 4240 wrote to memory of 5108	4240	chrome.exe	82
PID 4240 wrote to memory of 5108	4240	chrome.exe	82
PID 4240 wrote to memory of 5108	4240	chrome.exe	82
PID 4240 wrote to memory of 5108	4240	chrome.exe	82
PID 4240 wrote to memory of 5108	4240	chrome.exe	82
PID 4240 wrote to memory of 5108	4240	chrome.exe	82
PID 4240 wrote to memory of 5108	4240	chrome.exe	82
PID 4240 wrote to memory of 5108	4240	chrome.exe	82
PID 4240 wrote to memory of 5108	4240	chrome.exe	82
PID 4240 wrote to memory of 5108	4240	chrome.exe	82
PID 4240 wrote to memory of 5108	4240	chrome.exe	82
PID 4240 wrote to memory of 5108	4240	chrome.exe	82
PID 4240 wrote to memory of 5108	4240	chrome.exe	82
PID 4240 wrote to memory of 5108	4240	chrome.exe	82
PID 4240 wrote to memory of 5108	4240	chrome.exe	82
PID 4240 wrote to memory of 5108	4240	chrome.exe	82
PID 4240 wrote to memory of 5108	4240	chrome.exe	82
PID 4240 wrote to memory of 5108	4240	chrome.exe	82
PID 4240 wrote to memory of 1332	4240	chrome.exe	83
PID 4240 wrote to memory of 1332	4240	chrome.exe	83
PID 4240 wrote to memory of 1692	4240	chrome.exe	84
PID 4240 wrote to memory of 1692	4240	chrome.exe	84
PID 4240 wrote to memory of 1692	4240	chrome.exe	84
PID 4240 wrote to memory of 1692	4240	chrome.exe	84
PID 4240 wrote to memory of 1692	4240	chrome.exe	84
PID 4240 wrote to memory of 1692	4240	chrome.exe	84
PID 4240 wrote to memory of 1692	4240	chrome.exe	84
PID 4240 wrote to memory of 1692	4240	chrome.exe	84
PID 4240 wrote to memory of 1692	4240	chrome.exe	84
PID 4240 wrote to memory of 1692	4240	chrome.exe	84
PID 4240 wrote to memory of 1692	4240	chrome.exe	84
PID 4240 wrote to memory of 1692	4240	chrome.exe	84
PID 4240 wrote to memory of 1692	4240	chrome.exe	84
PID 4240 wrote to memory of 1692	4240	chrome.exe	84
PID 4240 wrote to memory of 1692	4240	chrome.exe	84
PID 4240 wrote to memory of 1692	4240	chrome.exe	84
PID 4240 wrote to memory of 1692	4240	chrome.exe	84
PID 4240 wrote to memory of 1692	4240	chrome.exe	84
PID 4240 wrote to memory of 1692	4240	chrome.exe	84
PID 4240 wrote to memory of 1692	4240	chrome.exe	84
PID 4240 wrote to memory of 1692	4240	chrome.exe	84
PID 4240 wrote to memory of 1692	4240	chrome.exe	84
PID 4240 wrote to memory of 1692	4240	chrome.exe	84
PID 4240 wrote to memory of 1692	4240	chrome.exe	84
PID 4240 wrote to memory of 1692	4240	chrome.exe	84
PID 4240 wrote to memory of 1692	4240	chrome.exe	84
PID 4240 wrote to memory of 1692	4240	chrome.exe	84
PID 4240 wrote to memory of 1692	4240	chrome.exe	84
PID 4240 wrote to memory of 1692	4240	chrome.exe	84
PID 4240 wrote to memory of 1692	4240	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/1Z3F36Gu-WNL3fGTAz_G1f4lS91NKf31j/view?usp=sharing
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc6624cc40,0x7ffc6624cc4c,0x7ffc6624cc58
  2⤵
  PID:3820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1804,i,11669956301869028022,4626272249803386283,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1744 /prefetch:2
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2060,i,11669956301869028022,4626272249803386283,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2080 /prefetch:3
  2⤵
  PID:1332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2156,i,11669956301869028022,4626272249803386283,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2392 /prefetch:8
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,11669956301869028022,4626272249803386283,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3096 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3084,i,11669956301869028022,4626272249803386283,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3068,i,11669956301869028022,4626272249803386283,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4412 /prefetch:1
  2⤵
  PID:2404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4732,i,11669956301869028022,4626272249803386283,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4740 /prefetch:8
  2⤵
  PID:1040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4740,i,11669956301869028022,4626272249803386283,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4340 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5072,i,11669956301869028022,4626272249803386283,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5032,i,11669956301869028022,4626272249803386283,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4952,i,11669956301869028022,4626272249803386283,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=740,i,11669956301869028022,4626272249803386283,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  - NTFS ADS
  PID:1628

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3056

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2884

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Tech Support Specialist.pdf"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2172
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - System Location Discovery: System Language Discovery
  PID:860
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A1986D8115C42F026E0A643B51EC6BD8 --mojo-platform-channel-handle=1656 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:944
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0420798A34F4BE62F53B87AE62D884B5 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0420798A34F4BE62F53B87AE62D884B5 --renderer-client-id=2 --mojo-platform-channel-handle=1808 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1540
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2C6DBB550304E5F09E63DD56D5A92497 --mojo-platform-channel-handle=2332 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:404
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=43299DBCD85654E10A77B775A0A4A51E --mojo-platform-channel-handle=2000 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2808
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A04447763F3C0310EF8A58F18532666D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A04447763F3C0310EF8A58F18532666D --renderer-client-id=6 --mojo-platform-channel-handle=1928 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4880
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FDDB79474188DEDBA648D5272D2C53B9 --mojo-platform-channel-handle=2712 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a2ebc9eab444273e219e7c9366db6254

SHA1
cf12e501becfc79af73cefc6f5dc9d384d0c551a

SHA256
6281bbf4955be597b9ffcd1418347fe072e73a084578309f007013defd1df014

SHA512
22459945754db05c06276db70ea5e63c451b728ed8c9a4fa81555f19dea4e0ec9ed142dfffab07670940e3dfcfc2fd16071feb97597831731175f69d61b31bbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
68f633f17be77aca4aafe83304e81da9

SHA1
3c3bc33be45f2790bb2ab0225ac1743d569e9d64

SHA256
9c903e14f38ea30081520e8b996059a0ef2807307b2e4da112a25571e91c3ad2

SHA512
f9961a423116a7bbf9952d3899ebebe4970ed778175252b07d07b4e15301100576a14f2cfc83c9b157b1fead1c9356d06e77d0d592f9b20dd5c5bb56ae75b725

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
04dbdd0b740b27b16bef0736f711d660

SHA1
d6bdf67127791801962e743f6f25d93807736fff

SHA256
abcdd8a2db3065881d12714f83f4832d2152c824c646ec29050d83cfb18ffcf0

SHA512
ffebda8acccde4cf15f8337f355295d85f1b9b05376f7e546a9923cf71a4274ffbedf78403a7fef13b2b06c98e7ddb5a0f8817e9c521cafb58fdd6b0531e74e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a83c928697883224f83b08e65731b816

SHA1
25c436bd48fcd6fa1fb2ba8b32b9d9f136553ba3

SHA256
30149ed475d2273c1611907f96da104f9e7ce0d840f46127c1e6d1e1a16b9210

SHA512
86638af19e3b3f3472a8385e20b05e470f9bba51b37636d7a05ffe4680383d167df2504dfce6df1c6b2ac7ff89679b4cac7fb65c1b7b1f8b326b44543c58d412

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7b251624ba9d58c7b38174929f87e9b8

SHA1
c30eceaa7a94ad2ce43e050f3562831a3467f036

SHA256
dff6afeb62083fe5f9e57a1fa3975a3272c90a5f15ed3925d1bafd4b61f5a25a

SHA512
411259c9b30234261190be23f852fa0186052884b4b51981ec2a60c598f85b012ae239e0cd8b1fce19bad0a078f543bf4587cff006e54236f93cf24f7369a3aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c4581b63068ccdc9c03795656719ad12

SHA1
2a7c8c3ebf474119fdbc46f7a4da48b5cce41a11

SHA256
bcc7a381249025a059d2feb3da620b6006085b7e50b4b73a215410f0132a6545

SHA512
6693e594d322f55d8f9bb1464005773cc5f38dcb3c529942dec6f479cf515335f0f90100895ba80363bc43090a45fedfdf2437a10277e6a563221158b0cb1775

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d1fcd5f616a5b31eebec314cb91e3f52

SHA1
13412996552bc87e6cde4934bd09bf299ba385d2

SHA256
bd603f521571b3e5992a04f87cbdccb90fc272eafdffc3c6827a1213b719b021

SHA512
613388ed29bc6531fe53d9a76f5a1cd1b4885dd69fb8bae6e094c2b8748c0161d281bca07b2c702f48b25c3be23e2142ed06bf43ff099555ffad4daff24af340

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e3141ed8e7eff1a86a6826ad7656ea96

SHA1
e0e36ff70e0246b880a77aa8c3c2f1866cabea78

SHA256
63046ec784d4ed63d2a3bf8e5c592c4ed4c195dd59da72e36578181acdbb73ce

SHA512
a3dde1439f03ff195c0ab2bd9314c36a94de3e1b9b5c9c6f9698d56a3d282a4b55f30e65866a253015d389e6efce0c7fb98f40618cf7494d7cbbc02f6182aed7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
099731f4be20cc4cf2fa0fe36811cb35

SHA1
db47af0fae1250798a479a1b6ba234336e2753bc

SHA256
dc5a286afcec83b28bd5f11b46c6d9cddd1276d34a49f9a55048aaa5fbb7e5c4

SHA512
cd95577478c7efcf7abcdace5c6552d56c97193e6fe71afaac70b07b44ab6f83b9f0c426a2220b1babdc217d03d3c1788cfd8e9892bd2adf842e9efeca94f962

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1662788a0fc45465a2ea87ef1f4b3343

SHA1
2bde414ccf841259503f66a794e7f5e70b6fe463

SHA256
14c15d2701123cbe4fcb9b7412b5e9eb0758248569c7e9082cec269d9db8144a

SHA512
91b7b0a2bebfd92dc116f0057d83547468866c2240fbe0ed101340fb51cb61a08f3fc57127f7440fac91a8796cafd2892d1e9fe13a6083e81dd5bb1621e3b2e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2def32e14f9d50b087238ea440b24ab5

SHA1
4a65caaef6cfa724f60e13c70405684ab62f241b

SHA256
14ffa63b004ff239319d5b4683b181e0377c8085f3c8d511281e5dd36f47d866

SHA512
d76a2e7b1cc7b3accec9de9d1a28f4cf58453b24233acaf0f8e80a97f551349506252997bdbe4f9463580a02f5127ffc5e0783511a54e3d651e5f0996385835a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c0b2e8a9fe5150cdc62b5e802716b25e

SHA1
f9d94ad02bdc4f096d9059d0aa7d986d2c17a85e

SHA256
4865c7cd63f9468072db122778861a024c0d6df8649baad98d62caabfbfba14e

SHA512
5786052eccf5165aa0500a16528dd503d82909ee99180514170a5d9d64a2cb1b2eb7da7ddec03908f4841137d0a009d55f37d4afb3fba215006777fe9c54b207

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
21bd3c204effefdc8dcb35641552991a

SHA1
1d5957b92de0b7ff5707db2f400ab47743fb7537

SHA256
b224c2788ea21449000e217f131c84095484397c6c60a377ac9aa2bedb1333d2

SHA512
dda50107572fdbb3a75268effe17cd62f3e6e3d24a10fac085b82362ee3083c102ac9c79f503b73593f2b35290088982e008b4c16148d714244a33b3fb1505ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
640815431c7ea098267fd30d89a28385

SHA1
5c251c6ec4dc9cca2db5bee2e6ce14ea0c30b24c

SHA256
fc2a091eee2beb5269bcb5c825bcaf38217f2a6480844f9dd2e5ff8857e34e5e

SHA512
60ac37a55c6705484af3040d638e31290db24c7d7a6a50fa3ee889f17d5f9233c7647697dbb6048aee5c4c629b96c025a92ce560e5999199eab166c6baa2c3ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
c53b317965eeefb51c227faf61458c77

SHA1
ebb064e217fd5958fa9865220c354d2f3c6a4916

SHA256
841ed1b6bdf1303f75d1bc4d4ebd0c47cd90cd2f7d1a42cd0c01c75e484ecd44

SHA512
6f13cb7ce357808aa066a942b5c3e1f4434937f759f2b3c392bffb1f05ae0ca3e19176125eb903b61e72ba02cdb3e0f25986c91442edf6130e3502db701e9c58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
21a81875385b14528395b10cc941b680

SHA1
dfafe300ff774a61ebb8d7eb3c8413768fde59d2

SHA256
c4e0f018bc525aab310b52fb96e3a66af0ac7eda4f64cd9c112a0ecaea666113

SHA512
a57e00a4c0e8e2317a967fe714268a3b8bfea50f8f7d78a80e39ad8b062a132a3eaa4378b035b0cd8e974131322b562affe9408cbf542512479bc08a0f1f0bab

Download Submit
C:\Users\Admin\Downloads\Tech Support Specialist.pdf.crdownload

Filesize
131KB

MD5
4bb18b9512481ac743a87ca5ab6aaca7

SHA1
cea87b977fbe4a68d04ccedea49d93577d395d7c

SHA256
9a857cbb2e9bc50f1dfd77aed298572f7b5b6ee7fe769b65ef2f7685be61c2f9

SHA512
a63b665b902cb79bcc6dd17d26126e6cea218d0430d9c7f69e679170d51cd42442ceb7fdab4659ba0e31a74250263e5e2651b4b277a9dfce353943324797ebef

Download Submit
C:\Users\Admin\Downloads\Tech Support Specialist.pdf:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit