hxxps://drive[.]google[.]com/file/d/1Oc_M6cewFK4vwn58fejPLdF-w9U8bW_E/view

Analysis

max time kernel
52s
max time network
56s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2024, 03:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1Oc_M6cewFK4vwn58fejPLdF-w9U8bW_E/view

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
9	drive.google.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133778441668060834"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2816	chrome.exe
2816	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2580	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe
Token: SeShutdownPrivilege	2816	chrome.exe
Token: SeCreatePagefilePrivilege	2816	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2580	OpenWith.exe
2580	OpenWith.exe
2580	OpenWith.exe
2580	OpenWith.exe
2580	OpenWith.exe
2580	OpenWith.exe
2580	OpenWith.exe
2580	OpenWith.exe
2580	OpenWith.exe
2580	OpenWith.exe
2580	OpenWith.exe
4572	AcroRd32.exe
4572	AcroRd32.exe
4572	AcroRd32.exe
4572	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2108	2816	chrome.exe	84
PID 2816 wrote to memory of 2108	2816	chrome.exe	84
PID 2816 wrote to memory of 2412	2816	chrome.exe	85
PID 2816 wrote to memory of 2412	2816	chrome.exe	85
PID 2816 wrote to memory of 2412	2816	chrome.exe	85
PID 2816 wrote to memory of 2412	2816	chrome.exe	85
PID 2816 wrote to memory of 2412	2816	chrome.exe	85
PID 2816 wrote to memory of 2412	2816	chrome.exe	85
PID 2816 wrote to memory of 2412	2816	chrome.exe	85
PID 2816 wrote to memory of 2412	2816	chrome.exe	85
PID 2816 wrote to memory of 2412	2816	chrome.exe	85
PID 2816 wrote to memory of 2412	2816	chrome.exe	85
PID 2816 wrote to memory of 2412	2816	chrome.exe	85
PID 2816 wrote to memory of 2412	2816	chrome.exe	85
PID 2816 wrote to memory of 2412	2816	chrome.exe	85
PID 2816 wrote to memory of 2412	2816	chrome.exe	85
PID 2816 wrote to memory of 2412	2816	chrome.exe	85
PID 2816 wrote to memory of 2412	2816	chrome.exe	85
PID 2816 wrote to memory of 2412	2816	chrome.exe	85
PID 2816 wrote to memory of 2412	2816	chrome.exe	85
PID 2816 wrote to memory of 2412	2816	chrome.exe	85
PID 2816 wrote to memory of 2412	2816	chrome.exe	85
PID 2816 wrote to memory of 2412	2816	chrome.exe	85
PID 2816 wrote to memory of 2412	2816	chrome.exe	85
PID 2816 wrote to memory of 2412	2816	chrome.exe	85
PID 2816 wrote to memory of 2412	2816	chrome.exe	85
PID 2816 wrote to memory of 2412	2816	chrome.exe	85
PID 2816 wrote to memory of 2412	2816	chrome.exe	85
PID 2816 wrote to memory of 2412	2816	chrome.exe	85
PID 2816 wrote to memory of 2412	2816	chrome.exe	85
PID 2816 wrote to memory of 2412	2816	chrome.exe	85
PID 2816 wrote to memory of 2412	2816	chrome.exe	85
PID 2816 wrote to memory of 1220	2816	chrome.exe	86
PID 2816 wrote to memory of 1220	2816	chrome.exe	86
PID 2816 wrote to memory of 1944	2816	chrome.exe	87
PID 2816 wrote to memory of 1944	2816	chrome.exe	87
PID 2816 wrote to memory of 1944	2816	chrome.exe	87
PID 2816 wrote to memory of 1944	2816	chrome.exe	87
PID 2816 wrote to memory of 1944	2816	chrome.exe	87
PID 2816 wrote to memory of 1944	2816	chrome.exe	87
PID 2816 wrote to memory of 1944	2816	chrome.exe	87
PID 2816 wrote to memory of 1944	2816	chrome.exe	87
PID 2816 wrote to memory of 1944	2816	chrome.exe	87
PID 2816 wrote to memory of 1944	2816	chrome.exe	87
PID 2816 wrote to memory of 1944	2816	chrome.exe	87
PID 2816 wrote to memory of 1944	2816	chrome.exe	87
PID 2816 wrote to memory of 1944	2816	chrome.exe	87
PID 2816 wrote to memory of 1944	2816	chrome.exe	87
PID 2816 wrote to memory of 1944	2816	chrome.exe	87
PID 2816 wrote to memory of 1944	2816	chrome.exe	87
PID 2816 wrote to memory of 1944	2816	chrome.exe	87
PID 2816 wrote to memory of 1944	2816	chrome.exe	87
PID 2816 wrote to memory of 1944	2816	chrome.exe	87
PID 2816 wrote to memory of 1944	2816	chrome.exe	87
PID 2816 wrote to memory of 1944	2816	chrome.exe	87
PID 2816 wrote to memory of 1944	2816	chrome.exe	87
PID 2816 wrote to memory of 1944	2816	chrome.exe	87
PID 2816 wrote to memory of 1944	2816	chrome.exe	87
PID 2816 wrote to memory of 1944	2816	chrome.exe	87
PID 2816 wrote to memory of 1944	2816	chrome.exe	87
PID 2816 wrote to memory of 1944	2816	chrome.exe	87
PID 2816 wrote to memory of 1944	2816	chrome.exe	87
PID 2816 wrote to memory of 1944	2816	chrome.exe	87
PID 2816 wrote to memory of 1944	2816	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/1Oc_M6cewFK4vwn58fejPLdF-w9U8bW_E/view
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffec26dcc40,0x7ffec26dcc4c,0x7ffec26dcc58
  2⤵
  PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,15559929600892790187,10617154502320465183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:2412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2160,i,15559929600892790187,10617154502320465183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  PID:1220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,15559929600892790187,10617154502320465183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2536 /prefetch:8
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,15559929600892790187,10617154502320465183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,15559929600892790187,10617154502320465183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4464,i,15559929600892790187,10617154502320465183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4392 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4912,i,15559929600892790187,10617154502320465183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  PID:1484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4700,i,15559929600892790187,10617154502320465183,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4824 /prefetch:1
  2⤵
  PID:4716

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2064

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4892

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2580
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\SCP SL Sounds 2021.rar.crdownload"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4572
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2756
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B4BCBCA35CC7A2D49AAD1CED85854D7E --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:396
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C1FAF99571CD7D9A0167B2E184E35E4B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C1FAF99571CD7D9A0167B2E184E35E4B --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
593e9672b826a10b03ef7e5dbd5e3d1e

SHA1
756d24fc35276e8e2b15eb1146ed9d9ab0891628

SHA256
fd713098c81d075edcb8394d327059153e73c50731ce2bc64312c18f3bd8eb11

SHA512
ad2c0ede9057c331049aa812b4e9217c29a280144f7778e0e43584f24a4e9d4a178bf34937fa704e813be27c09ebab561cd3c6fd02fdb403c9ab70603dec8493

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
ce9209f85c611fbe9e69bd6fe34a18b2

SHA1
014ea066738133a386a3695bf4095b42e541b70f

SHA256
3457bfabdee7c94f4e527a84e3b1d792895f4b1bf6d2d9139be099093bed3773

SHA512
6b1bc039732e1066f7449e8ec2e69f0d71b6cd58f6123b88ea13882e7a57798aa0df3d532aae473cd823f819a33fcc2d5d531af65ef0148e299807954a0f7196

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
cb7069f2e55cbc67c40c60434321595b

SHA1
27ddf004e3fb7a4ab5c306ec8a04220235acedac

SHA256
5a4dce0596a7a6cc80d512c2eaf087338617f2cae4bdc3e98568b3084431fdd7

SHA512
1cb0fa36d80004d330c17ee21ec11fd403ea4865d419305fb268fcb0d1f2d9f2732e9e639b75bfe6bb09f011bc82623a5a4e3d40f3f3e963ee61612d5e97fc55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
feac80d4995a87b6ac0551b7e4e2a018

SHA1
8251c7daf2065aeca698083b086a3ef2d81b0817

SHA256
413a9b95d5339360a95e01199a7c2ab00711a0bbc2509d5a4e7f05242030fa79

SHA512
be14ff792e761246c32d66719b37a496a997199d14535eb91f56943a7a7e503127b0694fe8fd939c564f211ecc9c6e2d96c3e7bd64bc08a50bd69e9535ef9aea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bc3d0f6c038927d12db02e01458088e2

SHA1
8f416545be3b67c2cc068bf04f376f8411c7c8b5

SHA256
c8d1ccd53dfd93c4f2b7942862ad73989929497d13bdfce2367e241aca09c3be

SHA512
50c7e0c095764e5c750a89ffabdcd8ccc4caad586191f5164a081792ee26e90e0407640fcfe0502b638cc2aadca95f45eb6aaaf763d33a8206609d5cd85e1dc7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
05edb1d1335e032eb3a860608dae19a9

SHA1
78043440f1e20fab965abc21f5ecf8c358ac78a4

SHA256
a46e19d2449d21300449a536aef709eccd7bff1370ade3a79ef54e4142d7848d

SHA512
8456cf654c60a4a80babe254264d90d5066eec16eb8b89e5a57eb798d791d75b248d08088666e9870499300b54a309ca80695eeb165cc7a1f43a6f2083d55d70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
05ed096faf584cbaff7402edca3b0772

SHA1
cb9962cad2e8cfb40fc6778f94fc66b6322e57a0

SHA256
6c4101b3a54f3270d79c50d895a43f9dff71c6ee9b6c4399542040cadc1b3f97

SHA512
4eb390d09ba6175045299547c7e044601e650f890931bfbbde4dbe8cc0cf7a621f1dccfd9b3899e62f70ad6d7957c88a58b09661e8489bf5acc2977470a2a98b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
79e723c45160505bafe42f583782c467

SHA1
6f1dbd7e80f419f180b91056c111eb70cddfe3d8

SHA256
d2075def9d376bf1ebf6c3a2a392f1fbab2bf4b5dd438f07fbfe42388e9ac838

SHA512
c8e138f13312e6be306c65c4560e37876303248de94210af026ae7a245331cfc6d255eced26e75c2cd46eeed698f914703af0c92d4b429f7ac83df57e53a984a

Download Submit