960691e06eff8e6ef9d1f7229ca21594b955b825df75893f37a23058014ebbad

Analysis

max time kernel
211s
max time network
284s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
19/11/2024, 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wetransfer_english-file-elementary-sb-units-1-3-pdf_2024-11-19_1158.zip
Size

54.9MB
MD5

1f41d5035d7872babbac6a04c7e79b3a
SHA1

e4487d25440d98e6ad5accd8c8d74c5ed5239652
SHA256

960691e06eff8e6ef9d1f7229ca21594b955b825df75893f37a23058014ebbad
SHA512

ffe7a53d4199749f0977bd907c4fb9a674542a27857c9b2d9cc363ca9451b6d95d0acc09a42d437b714519f98dd716e7da7839c4860dbb9f661b2b4a0cf60677
SSDEEP

1572864:t0aJveWckVIwblhMMCvMFV6ESBOfrWs7y:+a0WckVIwb+vTBoZ7y

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Checks processor information in registry 2 TTPs 16 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	7zFM.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4612	7zFM.exe
4612	7zFM.exe
4612	7zFM.exe
4612	7zFM.exe
4612	7zFM.exe
4612	7zFM.exe
4612	7zFM.exe
4612	7zFM.exe
4612	7zFM.exe
4612	7zFM.exe
4612	7zFM.exe
4612	7zFM.exe
4612	7zFM.exe
4612	7zFM.exe
4612	7zFM.exe
4612	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4612	7zFM.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeRestorePrivilege	4612	7zFM.exe
Token: 35	4612	7zFM.exe
Token: SeSecurityPrivilege	4612	7zFM.exe
Token: SeSecurityPrivilege	4612	7zFM.exe
Token: SeSecurityPrivilege	4612	7zFM.exe
Token: SeSecurityPrivilege	4612	7zFM.exe
Token: SeSecurityPrivilege	4612	7zFM.exe
Token: SeSecurityPrivilege	4612	7zFM.exe
Token: SeSecurityPrivilege	4612	7zFM.exe
Token: SeSecurityPrivilege	4612	7zFM.exe

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
4612	7zFM.exe
4612	7zFM.exe
1964	AcroRd32.exe
4612	7zFM.exe
1316	AcroRd32.exe
4612	7zFM.exe
1172	AcroRd32.exe
4612	7zFM.exe
3372	AcroRd32.exe
4612	7zFM.exe
4460	AcroRd32.exe
4612	7zFM.exe
2052	AcroRd32.exe
4612	7zFM.exe
4996	AcroRd32.exe
4612	7zFM.exe
1408	AcroRd32.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
1964	AcroRd32.exe
1964	AcroRd32.exe
1964	AcroRd32.exe
1964	AcroRd32.exe
1316	AcroRd32.exe
1316	AcroRd32.exe
1316	AcroRd32.exe
1316	AcroRd32.exe
1172	AcroRd32.exe
1172	AcroRd32.exe
1172	AcroRd32.exe
1172	AcroRd32.exe
3372	AcroRd32.exe
3372	AcroRd32.exe
3372	AcroRd32.exe
3372	AcroRd32.exe
4460	AcroRd32.exe
4460	AcroRd32.exe
4460	AcroRd32.exe
4460	AcroRd32.exe
2052	AcroRd32.exe
2052	AcroRd32.exe
2052	AcroRd32.exe
2052	AcroRd32.exe
4996	AcroRd32.exe
4996	AcroRd32.exe
4996	AcroRd32.exe
4996	AcroRd32.exe
1408	AcroRd32.exe
1408	AcroRd32.exe
1408	AcroRd32.exe
1408	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 1964	4612	7zFM.exe	80
PID 4612 wrote to memory of 1964	4612	7zFM.exe	80
PID 4612 wrote to memory of 1964	4612	7zFM.exe	80
PID 1964 wrote to memory of 3188	1964	AcroRd32.exe	83
PID 1964 wrote to memory of 3188	1964	AcroRd32.exe	83
PID 1964 wrote to memory of 3188	1964	AcroRd32.exe	83
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 4084	3188	RdrCEF.exe	84
PID 3188 wrote to memory of 1608	3188	RdrCEF.exe	85
PID 3188 wrote to memory of 1608	3188	RdrCEF.exe	85
PID 3188 wrote to memory of 1608	3188	RdrCEF.exe	85
PID 3188 wrote to memory of 1608	3188	RdrCEF.exe	85
PID 3188 wrote to memory of 1608	3188	RdrCEF.exe	85
PID 3188 wrote to memory of 1608	3188	RdrCEF.exe	85
PID 3188 wrote to memory of 1608	3188	RdrCEF.exe	85
PID 3188 wrote to memory of 1608	3188	RdrCEF.exe	85
PID 3188 wrote to memory of 1608	3188	RdrCEF.exe	85
PID 3188 wrote to memory of 1608	3188	RdrCEF.exe	85
PID 3188 wrote to memory of 1608	3188	RdrCEF.exe	85
PID 3188 wrote to memory of 1608	3188	RdrCEF.exe	85
PID 3188 wrote to memory of 1608	3188	RdrCEF.exe	85
PID 3188 wrote to memory of 1608	3188	RdrCEF.exe	85
PID 3188 wrote to memory of 1608	3188	RdrCEF.exe	85
PID 3188 wrote to memory of 1608	3188	RdrCEF.exe	85
PID 3188 wrote to memory of 1608	3188	RdrCEF.exe	85

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\wetransfer_english-file-elementary-sb-units-1-3-pdf_2024-11-19_1158.zip"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\7zO40204179\Vocabulary Bank.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3188
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C6D9E3B717D014AE672A13A1B675F262 --mojo-platform-channel-handle=1784 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4084
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6E39685060708F15AA18064AB0CD01DC --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6E39685060708F15AA18064AB0CD01DC --renderer-client-id=2 --mojo-platform-channel-handle=1796 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:1608
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D843AB8595DEA547D558CAFE0C1895FC --mojo-platform-channel-handle=2356 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1420
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=43C9AB5D989F500656BA92AC0EBC56C9 --mojo-platform-channel-handle=1984 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1600
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6CBB068DE542BC17EF7F2E3E7984D34A --mojo-platform-channel-handle=2460 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1744
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\7zO40219C69\Sound Bank.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1316
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\7zO40251D59\Listening.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1172
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\7zO40248D49\Irregular Verbs.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3372
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\7zO40294EB9\Grammar Bank.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4460
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\7zO402B9EA9\English File Elementary WORKBOOK Units 1-3.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2052
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\7zO402F1F99\English FILE Elementary SB Units 1-3.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4996
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\7zO402700F9\Communication + Writing.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1408
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3100
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5FE682ED93EE41B7B4EDC288F3BB9D07 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5FE682ED93EE41B7B4EDC288F3BB9D07 --renderer-client-id=2 --mojo-platform-channel-handle=1672 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:1556
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BD5EE53A2772AE9B77D6028434CCDC03 --mojo-platform-channel-handle=1856 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4316
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0704EABCF913AA9C4A586D3B7C4A6DC6 --mojo-platform-channel-handle=2368 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:2080
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E92A12E723BCD26DCD3BF8ABA36693E9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E92A12E723BCD26DCD3BF8ABA36693E9 --renderer-client-id=5 --mojo-platform-channel-handle=2556 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:1756
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DC8AF1198EE45740B90D9B3115486E2F --mojo-platform-channel-handle=2688 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_1

Filesize
264KB

MD5
9f2648a348764d42be58920bc8ec6246

SHA1
27ab3fc4b4e2918e724e946b7ade1aa7c20a9e8e

SHA256
1eaf474e5e30ba5db330b4d4b42506d64602a789e93fd027032bd4df13e3b3c3

SHA512
489740411167737b2f64bf6215380d39db36f860903631908631d889f2b147c82578e0d485262ef8a9f22e06eba78e832de3bb0bdc1253484f217c7511622c21

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links

Filesize
128KB

MD5
4cd5392b7a1d61bbd5d237fb5e89aa24

SHA1
14b0b5dc10a5ef67469a96e9452563e78b1bd95b

SHA256
82a68a58719eee61d93f121471cbcef292a5356c562bd9933e89ca96f486143c

SHA512
dc12f3277d097a614dd34e04a073fa9341bcbecffd03bbcda6e66248ce5800450d8681b68c83087531a6829e1af1c8efb5edd429003f3c841ba34976fd9cbb48

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst

Filesize
110KB

MD5
b27a3412fd2f04347ef143d6d794065b

SHA1
34ce5bbf9cbd77a83f5eaccc59585b578ffba908

SHA256
9667b3d4d84ccaef020baefaa8d65af34c923f9e4a15e442b57a8f8021e9c654

SHA512
41e80bc5f4c048859853fd1f3ef4d571d19731df074243c8174916dc23420bfdd6f94f4463bd53e767b98601a9f3329e5bb199d376bdd154a2acb512bea1d473

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat

Filesize
141KB

MD5
ae2991970649d0a7226023627a5fd976

SHA1
8e2e6313fcde57c406eb160574260b625dfa8e17

SHA256
ee8d102a9303d4c9a410d336b232cbe39bfeb5867b7a6e761c4730aeef6fe84f

SHA512
d7548020f0eb8d843c9cb68da0857ee0ecf51c1618d5793a30728e7ae4f9468261b17d1126ce11b9bd2b970b576e6d451ae9a6c621de8bb04b74b4a4d5565928

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat

Filesize
221KB

MD5
4ca838b12312caed3341ea8d8b8e63b0

SHA1
f6683389b8c5d8f68fbc9c1cbe5b5708c540fd76

SHA256
e781b10fd75c0fcc4e66b2e4a086d0b60208b571db24070b2d32b479414b9578

SHA512
23911113be784dc3db65901b3d74371e0c90ae945e07d98d12b7e0dcb82e90f100e2539f2110da7676bf057e7f52135b4856a74862cf9ad44ab9c3866acf6308

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat

Filesize
221KB

MD5
2fa784fac50c1d00ba689444dc38aebf

SHA1
193508275b1c96e2ec09580ed535db041e5efbea

SHA256
514f592188b05a37c3e9e519becee655a5d4489ffee47b144b84eeecf8f685d7

SHA512
7a6bad38a2f5d33d8a2938486c24b5ae85ae22932e3a8b16ef3f83343392096f96cbd2a764dc373438ef97730af13de2e4a494e700b2a13c97db0942d53e6643

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat

Filesize
225KB

MD5
d2644b477c6f5239b71f2682a05a6a0d

SHA1
ca20a80aa50e132fc2155423ea2b5d61b194b65d

SHA256
dc26e966012cf41c92580f1a77852c13fa24443b7f1a8beeb88e2c4524f9d9dd

SHA512
b3f954c433fd9a942edbbfcb615088cba5f31f26d7c86656434784e35d558afd03e9c440e73d3b3c38a344545a53d51e5a65058a88de4f25e7f2a39d414c158b

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat

Filesize
225KB

MD5
f8b3ae747e93cbe4189979c8f244bb5f

SHA1
bb7d663ffc7a0e667cc3b880ff963170876d9c4d

SHA256
2b5c194f12061a030f27581fe8bf4292d7677898770d68ae0e3ae753eb7ec38b

SHA512
090b9c5369099d10d73a50144e48c482b3e51f940ce02bd6858a3e0e4fd8cd3eb3d233b84f824530f212e28cd6aa04f9c170fae146d6da71b2bf0f3e9947207b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO40204179\Vocabulary Bank.pdf

Filesize
9.0MB

MD5
c9377b3ba3b359e3711c73a866ad9fca

SHA1
bf9b8c060520078adb4ff1059afecb42ed1ab195

SHA256
02cb2b4c5c09a361a5257c6607f173c9be2441b943735a3dbed369725929a691

SHA512
a1e2c0c8af73f6af0b15062b359c862989d7a66422162b690e084c4243f635bb149392710857baeea22e02ffa181f82c73be932e5f700624ee33717ca13338b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO40219C69\Sound Bank.pdf

Filesize
788KB

MD5
98cde2887c51a0104a5c3ed556a79df0

SHA1
c1f7b64a2798a845a77330f609652eebff6e423a

SHA256
3e14366c4008e77dfe92b32a196af3f30f9870d46ce3d40a89aa2111239ee6eb

SHA512
27fdd1c0756ac188ce819079bc83b0a9147c082859fad76c4ad640667cd1475db389f0aed990331f0a2b4871f9c871b66b4eac86e0973f7bda1b1bcb69d1f683

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO40248D49\Irregular Verbs.pdf

Filesize
338KB

MD5
c25d1bb2baff14f10aa3d8a05374eb98

SHA1
27b475d722200e580b9d07cadfcf46e92ec77c33

SHA256
49e15966ff8a4eabfd6bccdbbb5b56401b41ec14d32e5aa40ac93192f490b254

SHA512
ce48ba7f50ae8183cb6e717ceae9298dbcf8c45a9c0fe1fed8d7fafa4ec29e64459c97466c04765c64db261282a03dd8a59ff3d4f239502dee62cc0dd213dd37

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO40251D59\Listening.pdf

Filesize
5.2MB

MD5
4ea7d59f56b30e045a393b0dc6053646

SHA1
a3243f9054bf3731ab625a1883d35d9bbba3482b

SHA256
621cf9664c4e1fff8c5cccb45775483e0f93b5321fa6b87ed3ff5f5a010ededd

SHA512
13784b49a39036edc2a3f9a17a81ed2dab32071e5dffbdf72249b8565c48a98eac76532955932c6995adf8a74574764cebaf26cd9a12e57f5b43d47de0d684f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO402700F9\Communication + Writing.pdf

Filesize
7.6MB

MD5
87c51039d252a6e1914f325bca1bd4d9

SHA1
4610ce69af543a3e6be3c4249124c86722dcab46

SHA256
5f6da8c1496b462245aa8ef86f853c9f68800cfe1b24370c8f80ef75f17f74c4

SHA512
14f024fd96db1282a98e7c365b95cc091bacd8a3137af057ed4a14ec203da6d93b6ede7350e3e971c8cad4863f5fd6ae3450464ac2154c9ef906ca1f13493ffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO40294EB9\Grammar Bank.pdf

Filesize
11.3MB

MD5
3d73fd96d4b5f2ff5921d978ab9c3e74

SHA1
1e0f68c279224513a636a88d824bf92df3edaabd

SHA256
9c396fc6d3d4bcfa8781836569623ef1f3f32db8bc25d74c0bab613713c549a7

SHA512
749aad81e49a25ccb6ebb85995407a577a4ce87cdf1263d5520e77afe8e05ad5136aa39b3aeb3c0f914911a33f27e5a15a401a6700196e6eea1ddeb426acf3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO402B9EA9\English File Elementary WORKBOOK Units 1-3.pdf

Filesize
7.6MB

MD5
a56b33651a4707142f2eab543cb0c270

SHA1
c3b655889db225fc1f1b78c1ba830fe09f2337e3

SHA256
eab9be8b3768a2b184409ee766897d25f264937b4d2b86a2520bb7b34fbd6fbc

SHA512
4e2208aa0a978b2db0562bd10a936fb880914bd966c97cbb985295fb89bf8fddc8111c6313bc9bcf9979e764f3adf93648b717ffbe5b22c073aa7d1d4dd57bdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO402F1F99\English FILE Elementary SB Units 1-3.pdf

Filesize
13.2MB

MD5
ca8506b63a3c431df4442d625ba87ef3

SHA1
44b300b9b5dd9d609985e45592dcf441af4d788d

SHA256
70689941eedd1001f0ea3c7f979c0a4e9de36a655c2005e38bc11d95f2624721

SHA512
8935b1a7a66999d9176fa46e892f82a46e3be92a5e8f14cadd0b7d3fe448693d11624d8e636c7f5b65eddcc9e8f0ad69bbb39c45d2f7173e48365b3604d3fb6a

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_store

Filesize
10KB

MD5
f64a4949e17ad5e05367c051886fec7c

SHA1
ecd540120d776b9e29dab084f6cadb01f39cec32

SHA256
3558b8d3d441f4fc5945f4c6be4ac2048684324d63f052ed02ada62cb6fc3b4f

SHA512
30058765e97611cbed51de2d8e955ffd4c33abef6cb5a49c3bea4b6e181846fd8b9ae194ebed0d241b77e375f627bbda6a692fb48270744c0bf3823ca0b46a98

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_storei

Filesize
23KB

MD5
261f658e7e4d8063892c98b8aa05cc56

SHA1
574420c5674447ba0d6d1431ef39dc5158e6bc6c

SHA256
b31f9dfd03f338591f63cc45a394d2576d308153a0e3f9717a0362315bac60fe

SHA512
a5060eb23b3c3823811c591adff7cdd4954ea823295344876d5a5bb3d889a8b3f9a0d78add892ff6e495e1146850bf4587e254d8970d218efe016ce31bd2fc69

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_storei

Filesize
23KB

MD5
da457f3c494e4dedebc023d5ea580480

SHA1
99766603a6f2207ead45c1ce0abb5309820ad196

SHA256
d2af47123a70e6b4da94cc5ea6a44169f7daabf77c43a0f2708e417a21231230

SHA512
46f75e3132c5b69f0b87ec209a4ca2c6597a7c939770d9f6d8b2cf553bbe3ddc8727afdc88095cd7df5a82b7331051a0beb468f4fee63745be9d70ebb1a5d469

Download Submit