hxxps://drive[.]google[.]com/file/d/1Z3F36Gu-WNL3fGTAz_G1f4lS91NKf31j/view?usp=sharing

Resubmissions

03-09-2024 13:20

240903-qk85csyfnf 6

03-09-2024 13:10

240903-qejbraxdqm 6

03-09-2024 13:07

240903-qcsgmsxdml 6

Analysis

max time kernel
144s
max time network
144s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
03-09-2024 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1Z3F36Gu-WNL3fGTAz_G1f4lS91NKf31j/view?usp=sharing

Score

6^/10

discovery link pdf

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
5	drive.google.com
6	drive.google.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

resource	yara_rule
behavioral1/files/0x000300000002a7eb-156.dat	pdf_with_link_action

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PDFREFLOW.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Winword.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	PDFREFLOW.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	PDFREFLOW.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	PDFREFLOW.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	PDFREFLOW.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Winword.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	PDFREFLOW.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133698424552261216"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Tech Support Specialist.pdf:Zone.Identifier	chrome.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1688	Winword.exe
1688	Winword.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4132	chrome.exe
4132	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
4328	AcroRd32.exe
4328	AcroRd32.exe
4328	AcroRd32.exe
4328	AcroRd32.exe
4328	AcroRd32.exe
4328	AcroRd32.exe
4328	AcroRd32.exe
4328	AcroRd32.exe
4328	AcroRd32.exe
4328	AcroRd32.exe
4328	AcroRd32.exe
4328	AcroRd32.exe
4328	AcroRd32.exe
4328	AcroRd32.exe
4328	AcroRd32.exe
4328	AcroRd32.exe
4328	AcroRd32.exe
4328	AcroRd32.exe
4328	AcroRd32.exe
4328	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4996	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4328	AcroRd32.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe

Suspicious use of SetWindowsHookEx 61 IoCs

pid	Process
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
4996	OpenWith.exe
1688	Winword.exe
1688	Winword.exe
1688	Winword.exe
1688	Winword.exe
1688	Winword.exe
1688	Winword.exe
1688	Winword.exe
488	PDFREFLOW.EXE
488	PDFREFLOW.EXE
1688	Winword.exe
1688	Winword.exe
1688	Winword.exe
1688	Winword.exe
1688	Winword.exe
1688	Winword.exe
1688	Winword.exe
1688	Winword.exe
4328	AcroRd32.exe
4328	AcroRd32.exe
4328	AcroRd32.exe
4328	AcroRd32.exe
4328	AcroRd32.exe
4328	AcroRd32.exe
4328	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4132 wrote to memory of 4892	4132	chrome.exe	78
PID 4132 wrote to memory of 4892	4132	chrome.exe	78
PID 4132 wrote to memory of 5088	4132	chrome.exe	79
PID 4132 wrote to memory of 5088	4132	chrome.exe	79
PID 4132 wrote to memory of 5088	4132	chrome.exe	79
PID 4132 wrote to memory of 5088	4132	chrome.exe	79
PID 4132 wrote to memory of 5088	4132	chrome.exe	79
PID 4132 wrote to memory of 5088	4132	chrome.exe	79
PID 4132 wrote to memory of 5088	4132	chrome.exe	79
PID 4132 wrote to memory of 5088	4132	chrome.exe	79
PID 4132 wrote to memory of 5088	4132	chrome.exe	79
PID 4132 wrote to memory of 5088	4132	chrome.exe	79
PID 4132 wrote to memory of 5088	4132	chrome.exe	79
PID 4132 wrote to memory of 5088	4132	chrome.exe	79
PID 4132 wrote to memory of 5088	4132	chrome.exe	79
PID 4132 wrote to memory of 5088	4132	chrome.exe	79
PID 4132 wrote to memory of 5088	4132	chrome.exe	79
PID 4132 wrote to memory of 5088	4132	chrome.exe	79
PID 4132 wrote to memory of 5088	4132	chrome.exe	79
PID 4132 wrote to memory of 5088	4132	chrome.exe	79
PID 4132 wrote to memory of 5088	4132	chrome.exe	79
PID 4132 wrote to memory of 5088	4132	chrome.exe	79
PID 4132 wrote to memory of 5088	4132	chrome.exe	79
PID 4132 wrote to memory of 5088	4132	chrome.exe	79
PID 4132 wrote to memory of 5088	4132	chrome.exe	79
PID 4132 wrote to memory of 5088	4132	chrome.exe	79
PID 4132 wrote to memory of 5088	4132	chrome.exe	79
PID 4132 wrote to memory of 5088	4132	chrome.exe	79
PID 4132 wrote to memory of 5088	4132	chrome.exe	79
PID 4132 wrote to memory of 5088	4132	chrome.exe	79
PID 4132 wrote to memory of 5088	4132	chrome.exe	79
PID 4132 wrote to memory of 5088	4132	chrome.exe	79
PID 4132 wrote to memory of 796	4132	chrome.exe	80
PID 4132 wrote to memory of 796	4132	chrome.exe	80
PID 4132 wrote to memory of 2724	4132	chrome.exe	81
PID 4132 wrote to memory of 2724	4132	chrome.exe	81
PID 4132 wrote to memory of 2724	4132	chrome.exe	81
PID 4132 wrote to memory of 2724	4132	chrome.exe	81
PID 4132 wrote to memory of 2724	4132	chrome.exe	81
PID 4132 wrote to memory of 2724	4132	chrome.exe	81
PID 4132 wrote to memory of 2724	4132	chrome.exe	81
PID 4132 wrote to memory of 2724	4132	chrome.exe	81
PID 4132 wrote to memory of 2724	4132	chrome.exe	81
PID 4132 wrote to memory of 2724	4132	chrome.exe	81
PID 4132 wrote to memory of 2724	4132	chrome.exe	81
PID 4132 wrote to memory of 2724	4132	chrome.exe	81
PID 4132 wrote to memory of 2724	4132	chrome.exe	81
PID 4132 wrote to memory of 2724	4132	chrome.exe	81
PID 4132 wrote to memory of 2724	4132	chrome.exe	81
PID 4132 wrote to memory of 2724	4132	chrome.exe	81
PID 4132 wrote to memory of 2724	4132	chrome.exe	81
PID 4132 wrote to memory of 2724	4132	chrome.exe	81
PID 4132 wrote to memory of 2724	4132	chrome.exe	81
PID 4132 wrote to memory of 2724	4132	chrome.exe	81
PID 4132 wrote to memory of 2724	4132	chrome.exe	81
PID 4132 wrote to memory of 2724	4132	chrome.exe	81
PID 4132 wrote to memory of 2724	4132	chrome.exe	81
PID 4132 wrote to memory of 2724	4132	chrome.exe	81
PID 4132 wrote to memory of 2724	4132	chrome.exe	81
PID 4132 wrote to memory of 2724	4132	chrome.exe	81
PID 4132 wrote to memory of 2724	4132	chrome.exe	81
PID 4132 wrote to memory of 2724	4132	chrome.exe	81
PID 4132 wrote to memory of 2724	4132	chrome.exe	81
PID 4132 wrote to memory of 2724	4132	chrome.exe	81

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/1Z3F36Gu-WNL3fGTAz_G1f4lS91NKf31j/view?usp=sharing
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff88c14cc40,0x7ff88c14cc4c,0x7ff88c14cc58
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2000,i,8501056076882436036,7219535218227820675,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1736,i,8501056076882436036,7219535218227820675,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2020 /prefetch:3
  2⤵
  PID:796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2204,i,8501056076882436036,7219535218227820675,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2408 /prefetch:8
  2⤵
  PID:2724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,8501056076882436036,7219535218227820675,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3096 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3084,i,8501056076882436036,7219535218227820675,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4428,i,8501056076882436036,7219535218227820675,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4104 /prefetch:1
  2⤵
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4904,i,8501056076882436036,7219535218227820675,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4912 /prefetch:8
  2⤵
  PID:364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4936,i,8501056076882436036,7219535218227820675,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3244 /prefetch:8
  2⤵
  - NTFS ADS
  PID:1568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2240,i,8501056076882436036,7219535218227820675,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5376 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3712

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1144

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3176

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4996
- C:\Program Files\Microsoft Office\root\Office16\Winword.exe
  "C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Downloads\Tech Support Specialist.pdf"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1688

C:\Program Files\Microsoft Office\Root\Office16\PDFREFLOW.EXE
"C:\Program Files\Microsoft Office\Root\Office16\PDFREFLOW.EXE" -Embedding
1⤵
PID:2752

C:\Program Files\Microsoft Office\Root\Office16\PDFREFLOW.EXE
"C:\Program Files\Microsoft Office\Root\Office16\PDFREFLOW.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:488

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Tech Support Specialist.pdf"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4328
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2316
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1E74601F9D8D73A84BD516AF2829DCC7 --mojo-platform-channel-handle=1792 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4800
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2350C16358D7BFA085C94DFF0A01866F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2350C16358D7BFA085C94DFF0A01866F --renderer-client-id=2 --mojo-platform-channel-handle=1784 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4720
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=861BA680BF19E8B8F7DCF53B8B199E17 --mojo-platform-channel-handle=2332 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2132
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EE6D820C033238489A322E2CC6FA459D --mojo-platform-channel-handle=2000 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:996
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=99D8CC360F996623346524446CE43C79 --mojo-platform-channel-handle=2444 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5112
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0D7C61CA4A92D57C23AA7E5DBCCF458D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0D7C61CA4A92D57C23AA7E5DBCCF458D --renderer-client-id=7 --mojo-platform-channel-handle=2344 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
5962476d94496b2b63b590b57db5238e

SHA1
59c77ed4d877928e70a8e5bbc2d2cb06c9939674

SHA256
d08692dde8cfc999cd7f9f37e47f03c65f78111e4271d5c6889ed364ac8d61fb

SHA512
209557f757470b0313298d1bc39327789c42032047bf3a9f4d552bf6beec559b52b0dc4e6d55887eecf4f870843aff56894421bfe6bc0effa14ef3162ab79126

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
8da4944f67ef3a1e107a012568d304aa

SHA1
ea5cfe5fa959ebcdd331f7101b259ad4381fe226

SHA256
91e18aed4836a392a9541729f33b4736d6679e8e8f9be972c752c266170bb8e0

SHA512
6731e27d44a15d90d46038706cbc2bd991bc1c073957eb67a0bb4d1df8c0c80dcba3a80d63202900c20701d3f9114d5187cc14fb3178c9266975c9f827c6e1a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
deb0923024144afc1af6e0ecfd805aea

SHA1
01a8950507f3de3134efbeb66afb1eb4086d22a4

SHA256
ab167b5aca75333f97aafbaa552de0f4cd880139486d0dfcdeb9bf6f9513ecfc

SHA512
aaecfa22c2b933ae01a062414ed6facdfa71f334addd2d6badceb43411bb7379f9be5044e53b0a271b82eaf7fc955baa072fb96665c8ada682b87ba11aff34ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
9c9c9bdce5f6129076dceaf90ee282ca

SHA1
561c66c24e4e16f5d047263e93da8b661da1351b

SHA256
e63cff3e724d7ff62101281bb0a121ca1a63205d28a3b326eece57ba735b342c

SHA512
a6b38f7f226fbefc3097ac0cc1a910bda6ecbed66e44b08e33a0a8f5fa0184c1cdb2f4a0ac569d98b5eb6eb931b3b5981163b317250d5a21be8c8f951c3994ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
b158b63f57d9fb5a8d72f56e01560bae

SHA1
c6f8126a982d0fc5c9735021d6a61d9b6f05ae3c

SHA256
66939c0b8d306fac499fdc87bc6372f01b18b763698378ca21e73ef5f73d4946

SHA512
6cdcab0b8b0ecb13bfb55b7a3b03fc7f26e0082d0d38fc673f51d22ee2b9f728e0ce70dd71a2e4db5a3a2306d8dbd2d16ef37c91327910d9cdabb5dd8d6d6d67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
68e2033e29ec605d9b91920695769994

SHA1
4096558678f2c6381485267739e6e489cc51cb63

SHA256
5f42292d1dcd032d8540dd08ba8c1c6d4297930ea1a4b89051c61a82310a1180

SHA512
54bcb0f91aa7ed772716573aab85f6640fa53c9820de906a4a7a05ff66fa8592f5a20e59bb1f1044ce294ce2067761cd483b49e5e680d3b878b3ec2757129d3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
417658932e18a8210917082da60afbb5

SHA1
f02fb46d362f3ee180aec16bbebfe0716ee09f4e

SHA256
158230199b0e5222cbc74c6c5fa84c765fabd2d5d45bb86b37516d495b8f4433

SHA512
facdd24029001ef643030e5d00be8aab1f2c064ffa81a2c4e6ea5d39fe8732224a3b96b85d11b1419418e82cf63ecb98f93a3fdc1045396f65887832cf56f150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bb042d05b20a50607887b989aa332785

SHA1
b80b3eb0acda70399e5f7f69bb5dc37ea3507019

SHA256
4cfbc869ade233748679dabcf3b8bffe0c4b03f35eef82aa757360026b224c43

SHA512
7959c51bc05d5c5b79f84d97007c8b2d82c568472ea4c6fe447e691432c5ba7f0c693f283051708d13f84ec0d89291f60c6b553850386d901bac5621fb5b9495

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
376e96668a519a459515cd8b7a245bc2

SHA1
c6bd8003eac2caefcba0bc032a37eadc4642f8d5

SHA256
cd6c1439075e96a4a32a8cd2d79ca66f612416febab2b6deb06c16f174b38da1

SHA512
d12c5ce9f2fcb4ad01eac2342b52094174109f9f241f522e5d473a0067beee23bf78bb66431e596e6725e6427628cd54425512237b6d2d49da32dd88ef8e435e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a319e94cb7cd3afaa0b9fd6724fa4f88

SHA1
a2059f802dd7ee92f86e45830ec141ef95662008

SHA256
8932ecd5de1b4942de202975d195fbc510a17f88ec1d15285d6834d1fa4175d5

SHA512
1a9b366e752de6db9f84e3ed0243bbe77aacb27b6c468f2e641ec98c48852ae0d36ef5d15eabe7a787a0f98728e0b34a22649da2fe48e812cd9eb055afbc9920

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e07e1b06aef63ca6f7755c3c2cac6e45

SHA1
2b1133a46c89a012ddb7ad47e86f59636ab4f57d

SHA256
9d7e408554152d4b6ac2dfa206ed4629c74fc333916fbff183ed2c4bf36d8b31

SHA512
bb95d884fa13c3a75cf28b3d80428fd541ad9ce55cbae9a915d9656a10a3e06046ee4f706a9ee41b78a0a1ad172358918f18777bf153f57d909676a666f93155

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ef19aec8b16c9a619c29172408d2d836

SHA1
d3725118ae13f0daceb0e1a916b75b8058c8b2b9

SHA256
8c34e6a5762bb57ce2554923a4b11dc9cb59e5a929c5b8f7e46c661d6f55a27f

SHA512
159e2d7a7ab1a93f3b709805898af32b95fbb1a8dd176599c6ddd3b3ea49724a93f83167bc8818054ddf8fe2c15a299abf4d905c79cbdc1e8a092f70d7e5daa9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f21841129b1c0406f4b454cfe71c7fac

SHA1
87b8af1281d1d842825178ba1738cdd1eb935b5b

SHA256
e21eb215cefb090a73bdc117c62215a67aa39c89bf8399a086a22f258961689c

SHA512
5bd4c7e9394585007ddff08c748ad419360c18a875789f791e801bd1a9fab451da6b91a2a0f4c3e043a77c1e165e8ed3dfd3261560a268c0e7ccf8626713aca4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4f7b924ff4da30f6dab1c74809272e8a

SHA1
dee950b9f373a19e36e8c4ca49ec82e0c64215ba

SHA256
dea58d35d9b00ea505d91a81af5764ab80d0ef9f94c1a8bd48e5e14c819b7251

SHA512
2e75e489e48c002dea6c48c1363b6100958333695ce6bc8aa31e57d332938e9e5ecb53f267a354ce04c1f7a324b4b0ca13bdb0b5f3eec8b438383b95a1acdaa5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
175a79aef71ba5066511f41f97ce3d8a

SHA1
01c433f9a9d8a08f5cab97b7a2ed813c3cd199ea

SHA256
7da7c1459ece8210d6ae7ce930882a61f14f32a3af79a274fc0bd92cd0f72755

SHA512
6095ad51e0a438ddc69438f3bc365493c8f8a2e54c6e91188e300a64daf266b4ce143feeeadea7d5800b132ae4953934e9fd6607fd67eb6842b41a19a4cc52d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
54e5a2ee31d858d93c7476736222fd39

SHA1
dde68a2bde05a16f7e5ad203719c4712d0ea395f

SHA256
578406d1169ff99f00732d6e75e0351460f5ea143509bf8159791e8b14a3fde2

SHA512
aa654c2c6fd98e92798a2e36584f80c1676ad0555808ff5d5e5b05d2a2beb546112083f745542659bb659689038c3b76150f8d4383d97d51d57e907e6f48909e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
74d405c86b9f88a0b3ec90ff4c071ee9

SHA1
b9001ec6fe6912382886342667389515bbbf0735

SHA256
fe7e10574471df0aa04df37675c68f829be3e961c2219e524a84daabb11301a8

SHA512
979053c7329a09bd6b9058d7a26358c773ae08a84cf762d689c7808d1c401b4a2e24f4b794e9c4dd0507b9beb95fde1e4ae96aceb6396e2ad2326a3c46b1ef57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\A4A9440A-D1D6-4737-9A98-0DABE30BEBF6

Filesize
170KB

MD5
ba1ed3965cad67aa2e562d0c0ce51dbe

SHA1
e808693893cc9093c548aed4933ce01090c6d8ca

SHA256
dfa455340b6e619f73e08c8c0661878e3ac3cc0d394b70e62a3c3f22aa2b150d

SHA512
420b7a0c7f5cba22ad3fe939f6780e7e39e0799ddc14bbb76b836e8b8f6b55650d2ffbf9024287a758f28b6680bced827a5f9b5d5a805fe570a5a6f6068f0986

Download Submit
C:\Users\Admin\AppData\Local\Temp\~WRD0000.doc

Filesize
48KB

MD5
80280ca6c7b14b21c0df836c8eb78b19

SHA1
f6849be5d37c8cf1292b877a180bfab5c673b180

SHA256
e6c552add847207f1e42dafef3f2624ee692d537cf0294e6b24439fde25203f6

SHA512
d44daa51e0dfe9c1581bcaf036e36231ed87a30b9e547eb6c31cbaa1d07ba34ff449052d88c7555719fcb684fda2399c01843d3de53e91599a9a082f1aaf54f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\Tech Support Specialist.pdf

Filesize
131KB

MD5
4bb18b9512481ac743a87ca5ab6aaca7

SHA1
cea87b977fbe4a68d04ccedea49d93577d395d7c

SHA256
9a857cbb2e9bc50f1dfd77aed298572f7b5b6ee7fe769b65ef2f7685be61c2f9

SHA512
a63b665b902cb79bcc6dd17d26126e6cea218d0430d9c7f69e679170d51cd42442ceb7fdab4659ba0e31a74250263e5e2651b4b277a9dfce353943324797ebef

Download Submit
C:\Users\Admin\Downloads\Tech Support Specialist.pdf:Zone.Identifier

Filesize
173B

MD5
aa2d942ebbe43647f3b5ca95b54ba174

SHA1
5caf68d339abcb2b772f774ae996523c3d27bee9

SHA256
87a45f0973e10db54229ca63a39d892fa1f534230ea11188b6b8df147dd22fc6

SHA512
a8041d78b9d3d9e509f7bd0ecdb0dffad8cca18f265b0aa95eb577097f1feb7a9d08d0e85e043d56c186d4af7f43dfcafd4c119bac9a08b8b16fde06f07db38f

Download Submit
memory/1688-157-0x00007FF85AB70000-0x00007FF85AB80000-memory.dmp

Filesize
64KB

Download
memory/1688-162-0x00007FF858770000-0x00007FF858780000-memory.dmp

Filesize
64KB

Download
memory/1688-163-0x00007FF858770000-0x00007FF858780000-memory.dmp

Filesize
64KB

Download
memory/1688-160-0x00007FF85AB70000-0x00007FF85AB80000-memory.dmp

Filesize
64KB

Download
memory/1688-159-0x00007FF85AB70000-0x00007FF85AB80000-memory.dmp

Filesize
64KB

Download
memory/1688-158-0x00007FF85AB70000-0x00007FF85AB80000-memory.dmp

Filesize
64KB

Download
memory/1688-161-0x00007FF85AB70000-0x00007FF85AB80000-memory.dmp

Filesize
64KB

Download
memory/1688-291-0x00007FF85AB70000-0x00007FF85AB80000-memory.dmp

Filesize
64KB

Download
memory/1688-292-0x00007FF85AB70000-0x00007FF85AB80000-memory.dmp

Filesize
64KB

Download
memory/2752-171-0x00007FF85AB70000-0x00007FF85AB80000-memory.dmp

Filesize
64KB

Download
memory/2752-174-0x00007FF85AB70000-0x00007FF85AB80000-memory.dmp

Filesize
64KB

Download
memory/2752-176-0x00007FF85AB70000-0x00007FF85AB80000-memory.dmp

Filesize
64KB

Download
memory/2752-177-0x00007FF85AB70000-0x00007FF85AB80000-memory.dmp

Filesize
64KB

Download
memory/2752-170-0x00007FF85AB70000-0x00007FF85AB80000-memory.dmp

Filesize
64KB

Download
memory/2752-168-0x00007FF85AB70000-0x00007FF85AB80000-memory.dmp

Filesize
64KB

Download
memory/2752-169-0x00007FF85AB70000-0x00007FF85AB80000-memory.dmp

Filesize
64KB

Download
memory/2752-175-0x00007FF85AB70000-0x00007FF85AB80000-memory.dmp

Filesize
64KB

Download