Edit tour

Windows Analysis Report
https://app.salesforceiq.com/r?target=6668871d36fd2c590e69738f&t=AFwhZf1FA5UQoPJfZhv0fx01F18fhOllxr31LLKGz8PWgJeYNHYxSGFA1JrUEUUQObQ88teMdqd0o9ZIV8WeyIc-KGkN2-4Kwg3aQDptaBRRW9C5s_w2iMo0-UsKA37NOqreaHz7kZF-&url=https%3A%2F%2Fcmcoutperform.com%2Fsites%2Fdefault%2Ffiles%2FCourse-Guides%2FCMC-Course-Gui

Overview

General Information

Sample URL:	https://app.salesforceiq.com/r?target=6668871d36fd2c590e69738f&t=AFwhZf1FA5UQoPJfZhv0fx01F18fhOllxr31LLKGz8PWgJeYNHYxSGFA1JrUEUUQObQ88teMdqd0o9ZIV8WeyIc-KGkN2-4Kwg3aQDptaBRRW9C5s_w2iMo0-UsKA37NOqreaHz
Analysis ID:	1455410

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Detected non-DNS traffic on DNS port

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 7108 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://app.salesforceiq.com/r?target=6668871d36fd2c590e69738f&t=AFwhZf1FA5UQoPJfZhv0fx01F18fhOllxr31LLKGz8PWgJeYNHYxSGFA1JrUEUUQObQ88teMdqd0o9ZIV8WeyIc-KGkN2-4Kwg3aQDptaBRRW9C5s_w2iMo0-UsKA37NOqreaHz7kZF-&url=https%3A%2F%2Fcmcoutperform.com%2Fsites%2Fdefault%2Ffiles%2FCourse-Guides%2FCMC-Course-Guide-Spring-2024.pdf MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6320 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=1892,i,8974076035582547648,5252766854740829689,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: https://cmcoutperform.com/sites/default/files/Course-Guides/CMC-Course-Guide-Spring-2024.pdf	HTTP Parser: No favicon
Source: file:///C:/Users/user/Downloads/downloaded.pdf	HTTP Parser: No favicon

Source: unknown	HTTPS traffic detected: 2.19.85.159:443 -> 192.168.2.16:56739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.19.85.159:443 -> 192.168.2.16:56742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:56743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:56744 version: TLS 1.2

Source: global traffic	TCP traffic: 192.168.2.16:56738 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:56738 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:56738 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:56738 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:56738 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:56738 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:56738 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:56738 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:56738 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:56738 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:56738 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:56738 -> 1.1.1.1:53

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.209.137
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.85.159
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.85.159
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.85.159
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.85.159
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.85.159
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.85.159
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.85.159
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.85.159
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.85.159
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.85.159
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.85.159
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.85.159
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.85.159
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.85.159
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.85.159
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.85.159
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.85.159
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.85.159
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.85.159
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26

Source: global traffic	DNS traffic detected: DNS query: app.salesforceiq.com
Source: global traffic	DNS traffic detected: DNS query: cmcoutperform.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 56743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56739
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56744
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown	HTTPS traffic detected: 2.19.85.159:443 -> 192.168.2.16:56739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.19.85.159:443 -> 192.168.2.16:56742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:56743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:56744 version: TLS 1.2

Source: classification engine

Classification label: clean1.win@25/7@6/122

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://app.salesforceiq.com/r?target=6668871d36fd2c590e69738f&t=AFwhZf1FA5UQoPJfZhv0fx01F18fhOllxr31LLKGz8PWgJeYNHYxSGFA1JrUEUUQObQ88teMdqd0o9ZIV8WeyIc-KGkN2-4Kwg3aQDptaBRRW9C5s_w2iMo0-UsKA37NOqreaHz7kZF-&url=https%3A%2F%2Fcmcoutperform.com%2Fsites%2Fdefault%2Ffiles%2FCourse-Guides%2FCMC-Course-Guide-Spring-2024.pdf
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=1892,i,8974076035582547648,5252766854740829689,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=1892,i,8974076035582547648,5252766854740829689,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://app.salesforceiq.com/r?target=6668871d36fd2c590e69738f&t=AFwhZf1FA5UQoPJfZhv0fx01F18fhOllxr31LLKGz8PWgJeYNHYxSGFA1JrUEUUQObQ88teMdqd0o9ZIV8WeyIc-KGkN2-4Kwg3aQDptaBRRW9C5s_w2iMo0-UsKA37NOqreaHz7kZF-&url=https%3A%2F%2Fcmcoutperform.com%2Fsites%2Fdefault%2Ffiles%2FCourse-Guides%2FCMC-Course-Guide-Spring-2024.pdf	0%	Avira URL Cloud	safe

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
file:///C:/Users/user/Downloads/downloaded.pdf	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
cmcoutperform.com	209.15.205.170	true	false	unknown
www.google.com	142.250.186.68	true	false	unknown
apiq-apiv1-06027f9a-pb-48692342.us-west-2.elb.amazonaws.com	54.186.7.49	true	false	unknown
app.salesforceiq.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
file:///C:/Users/user/Downloads/downloaded.pdf	false	Avira URL Cloud: safe	unknown
https://cmcoutperform.com/sites/default/files/Course-Guides/CMC-Course-Guide-Spring-2024.pdf	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.68	www.google.com	United States	15169	GOOGLEUS	false
142.250.186.67	unknown	United States	15169	GOOGLEUS	false
142.250.181.238	unknown	United States	15169	GOOGLEUS	false
34.104.35.123	unknown	United States	15169	GOOGLEUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
54.186.7.49	apiq-apiv1-06027f9a-pb-48692342.us-west-2.elb.amazonaws.com	United States	16509	AMAZON-02US	false
209.15.205.170	cmcoutperform.com	Canada	13768	COGECO-PEER1CA	false
142.250.185.174	unknown	United States	15169	GOOGLEUS	false
64.233.184.84	unknown	United States	15169	GOOGLEUS	false
172.217.18.99	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.16

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1455410
Start date and time:	2024-06-11 19:57:40 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://app.salesforceiq.com/r?target=6668871d36fd2c590e69738f&t=AFwhZf1FA5UQoPJfZhv0fx01F18fhOllxr31LLKGz8PWgJeYNHYxSGFA1JrUEUUQObQ88teMdqd0o9ZIV8WeyIc-KGkN2-4Kwg3aQDptaBRRW9C5s_w2iMo0-UsKA37NOqreaHz7kZF-&url=https%3A%2F%2Fcmcoutperform.com%2Fsites%2Fdefault%2Ffiles%2FCourse-Guides%2FCMC-Course-Guide-Spring-2024.pdf
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean1.win@25/7@6/122

Warnings

Exclude process from analysis (whitelisted): SgrmBroker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.186.67, 64.233.184.84, 142.250.181.238, 34.104.35.123, 87.248.205.0
Excluded domains from analysis (whitelisted): fs.microsoft.com, clients2.google.com, accounts.google.com, edgedl.me.gvt1.com, ctldl.windowsupdate.com, clientservices.googleapis.com, clients.l.google.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: https://app.salesforceiq.com/r?target=6668871d36fd2c590e69738f&t=AFwhZf1FA5UQoPJfZhv0fx01F18fhOllxr31LLKGz8PWgJeYNHYxSGFA1JrUEUUQObQ88teMdqd0o9ZIV8WeyIc-KGkN2-4Kwg3aQDptaBRRW9C5s_w2iMo0-UsKA37NOqreaHz7kZF-&url=https%3A%2F%2Fcmcoutperform.com%2Fsites%2Fdefault%2Ffiles%2FCourse-Guides%2FCMC-Course-Guide-Spring-2024.pdf

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Jun 11 16:58:11 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9883271319675844
Encrypted:	false
SSDEEP:
MD5:	984C09F7E8D74BA7565E76544C3CA1C0
SHA1:	DA8F114D586C3344ECB71B0ADF11C5955195D94A
SHA-256:	45CCE062FC1A24A02D49F343F6AB9AFF3050FF538A2FBBCE0AB04F8E31E92020
SHA-512:	EEA6E2F5AE15203837F98B9C29058EBFD12AAC19358FB1C338C9300C26F4022CFD13742A9118359C30544F63C912539E85C83F381D02AC5DAFA2BB2AA918D0AC
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....q...(...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X;.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.XE.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.XE.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.XE............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.XF............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............h.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Jun 11 16:58:11 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	4.002020606344287
Encrypted:	false
SSDEEP:
MD5:	B71BCB46EF920A5D8E05A7D567908AA6
SHA1:	0B48FA8280DA2D9FF9B80A20DEFFFB77F6F0A9DB
SHA-256:	9BA54E38D55B414B2FAE73EA1025EFCA43814B6DB1B2ED4BC59379D4666642F0
SHA-512:	D8309F97DC7E03A07A36DC6A079B3F12494E6C022B1848909300D1A3C1E6A4E414EC2015A72EC9249B54DD7D01A32F1FB03C65D08C9C5E5E84D62D674EB12381
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....I)..(...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X;.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.XE.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.XE.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.XE............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.XF............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............h.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	4.009587551960303
Encrypted:	false
SSDEEP:
MD5:	62DEB3AD7EC7BDE5D313B0100AFD4448
SHA1:	0270B2049A3189AB811AD3923724FC0F5C6691BB
SHA-256:	10BCDFDF41EA0AD886D678F681C4326761E9E43B4133B1B174526EA61A7DA2CB
SHA-512:	AEE413FB756D4A3FDF1D1CC85DE59199FE929D74259A4593BC6E50580FDAE8D5EFF4D7FCFC27F4E97414FF34186524F8DD15873858D1A12EDB5AC9B3B11669C0
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X;.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.XE.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.XE.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.XE............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............h.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Jun 11 16:58:11 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	4.001242066740001
Encrypted:	false
SSDEEP:
MD5:	B0136D0BA0741EFBC4B7C71EA79FDCBF
SHA1:	D75306BDF072AEFBBCFB464E105C8AD008668F65
SHA-256:	A0E796CCC36F822F8C640CF2871821CEEC0870205E65D93F070754976925A479
SHA-512:	31CA35D2C9C2E100E96FBF832C1B63120E49DFEF918591108FEB041AAD53686EFAB9F31A160845F4BC93833FE3832CBCE3CEE01AB8C43EDCC9A56915CEAA9E58
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.......(...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X;.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.XE.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.XE.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.XE............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.XF............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............h.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Jun 11 16:58:11 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.989268766201133
Encrypted:	false
SSDEEP:
MD5:	0869F650573642BB3FC880E071469F5D
SHA1:	6E85C2C37F9297A0EEC1574D7D8A8615FE7199D0
SHA-256:	4B602B7339A840D471001D3E2391B6C09AFBA4407E069F5836665A6BE79465A0
SHA-512:	1B664FD967B86116DD850D508015FE77C5DCB8598D035C102C950607F8C3BC8F43413FA66B38EA19219DAE337EA04586A147459937DFC8762A9F0C32E3BF644C
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....+...(...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X;.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.XE.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.XE.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.XE............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.XF............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............h.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Jun 11 16:58:11 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.999901891706358
Encrypted:	false
SSDEEP:
MD5:	2D0D7A39B94405FF00DD8053B00742D2
SHA1:	C9459BF44C8413185F2D4A09A23DE3A45C646F31
SHA-256:	E0BE0809DB6E6653E7217FAEDED58A50C70900E830FA1FE2F9EA5362AA7A5330
SHA-512:	6CA7F231D9173D151486DF23723C853E2D051097D20A721129745CC15C8653F61543FBC4A21D08FD535B25546A8DAFEEC66107944B67D7BF5E1D320B0F5F3EDC
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....v..(...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X;.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.XE.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.XE.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.XE............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.XF............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............h.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\Downloads\downloaded.pdf (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PDF document, version 1.7
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	575A7318838BD88615CF7A7457168840
SHA1:	F67A1D6C08AA25FF1684988158966861E240CA3B
SHA-256:	AFB55A1EACAF5BD0327CCEA4A45CFDAFF52AC8096E75B215D4FE39014C56E892
SHA-512:	FD3E9A2AD9AF84F213FEC6096467DC7A087E559F1EC0AA00DE797500919291BCB858F2C45DCEC6FD49B01BD9D410384C6395443375DED172AF27952D29906C52
Malicious:	false
Reputation:	unknown
Preview:	%PDF-1.7.%......983 0 obj.<</Linearized 1/L 3900615/O 986/E 210405/N 48/T 3880834/H [ 1196 1694]>>.endobj. ..xref..983 45..0000000016 00000 n..0000002890 00000 n..0000003035 00000 n..0000003071 00000 n..0000004620 00000 n..0000004655 00000 n..0000004790 00000 n..0000004930 00000 n..0000005563 00000 n..0000006208 00000 n..0000006439 00000 n..0000007071 00000 n..0000007109 00000 n..0000007223 00000 n..0000007335 00000 n..0000007432 00000 n..0000008038 00000 n..0000008708 00000 n..0000008810 00000 n..0000009427 00000 n..0000010100 00000 n..0000010206 00000 n..0000010857 00000 n..0000011552 00000 n..0000011892 00000 n..0000012235 00000 n..0000015111 00000 n..0000018020 00000 n..0000020415 00000 n..0000023329 00000 n..0000026155 00000 n..0000028456 00000 n..0000031319 00000 n..0000033992 00000 n..0000036643 00000 n..0000041923 00000 n..0000047276 00000 n..0000052556 00000 n..0000053616 00000 n..0000088160 00000 n..0000088201 00000 n..0000088715 00000 n..0000210255 00000 n..0000210330

C:\Users\user\Downloads\downloaded.pdf.crdownload

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PDF document, version 1.7
Category:	dropped
Size (bytes):	3900615
Entropy (8bit):	7.9345275312637416
Encrypted:	false
SSDEEP:
MD5:	575A7318838BD88615CF7A7457168840
SHA1:	F67A1D6C08AA25FF1684988158966861E240CA3B
SHA-256:	AFB55A1EACAF5BD0327CCEA4A45CFDAFF52AC8096E75B215D4FE39014C56E892
SHA-512:	FD3E9A2AD9AF84F213FEC6096467DC7A087E559F1EC0AA00DE797500919291BCB858F2C45DCEC6FD49B01BD9D410384C6395443375DED172AF27952D29906C52
Malicious:	false
Reputation:	unknown
Preview:	%PDF-1.7.%......983 0 obj.<</Linearized 1/L 3900615/O 986/E 210405/N 48/T 3880834/H [ 1196 1694]>>.endobj. ..xref..983 45..0000000016 00000 n..0000002890 00000 n..0000003035 00000 n..0000003071 00000 n..0000004620 00000 n..0000004655 00000 n..0000004790 00000 n..0000004930 00000 n..0000005563 00000 n..0000006208 00000 n..0000006439 00000 n..0000007071 00000 n..0000007109 00000 n..0000007223 00000 n..0000007335 00000 n..0000007432 00000 n..0000008038 00000 n..0000008708 00000 n..0000008810 00000 n..0000009427 00000 n..0000010100 00000 n..0000010206 00000 n..0000010857 00000 n..0000011552 00000 n..0000011892 00000 n..0000012235 00000 n..0000015111 00000 n..0000018020 00000 n..0000020415 00000 n..0000023329 00000 n..0000026155 00000 n..0000028456 00000 n..0000031319 00000 n..0000033992 00000 n..0000036643 00000 n..0000041923 00000 n..0000047276 00000 n..0000052556 00000 n..0000053616 00000 n..0000088160 00000 n..0000088201 00000 n..0000088715 00000 n..0000210255 00000 n..0000210330

Static File Info

⊘No static file info

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

C:\Users\user\Downloads\downloaded.pdf (copy)

C:\Users\user\Downloads\downloaded.pdf.crdownload

Static File Info