3e5e23c0adf484b96a726f9ecdbd4a3089ad7f8979329616b73e521825e183ae

max time kernel
1322s
max time network
1134s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2024 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Screenshot 2024-09-24 2.11.17 PM.png
Size

45KB
MD5

578c76503d19e73f7a935cdfb1a4108e
SHA1

74644b49ebeb844cfa821fe70251f8e56ac6e112
SHA256

3e5e23c0adf484b96a726f9ecdbd4a3089ad7f8979329616b73e521825e183ae
SHA512

52b1cb29234be0e46a90cc26f8ac9ad6ff45887f80fbaf20da53bce7c9530111778317aaa393e6e94fe97f3f15372a0de869f709e768f278bd74ba989599ca0d
SSDEEP

768:54PXdrAREaTeqsZ+93ArVC7UpbJss0JAKEKFXsojUIFI5A29+FKn2g5Fh2O:54Pa1swmfNIOKEKSY29tnxhz

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	AdwereCleaner.exe

Executes dropped EXE 4 IoCs

pid	Process
3516	SpySheriff.exe
2392	AdwereCleaner.exe
3460	6AdwCleaner.exe
1164	xpajB.exe

Loads dropped DLL 3 IoCs

pid	Process
3464	Process not Found
3464	Process not Found
3464	Process not Found

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdwCleaner = "\"C:\\Users\\Admin\\AppData\\Local\\6AdwCleaner.exe\" -auto"	6AdwCleaner.exe

Enumerates connected drives 3 TTPs 20 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\k:	xpajB.exe
File opened (read-only)	\??\l:	xpajB.exe
File opened (read-only)	\??\q:	xpajB.exe
File opened (read-only)	\??\y:	xpajB.exe
File opened (read-only)	\??\u:	xpajB.exe
File opened (read-only)	\??\v:	xpajB.exe
File opened (read-only)	\??\w:	xpajB.exe
File opened (read-only)	\??\x:	xpajB.exe
File opened (read-only)	\??\j:	xpajB.exe
File opened (read-only)	\??\n:	xpajB.exe
File opened (read-only)	\??\r:	xpajB.exe
File opened (read-only)	\??\s:	xpajB.exe
File opened (read-only)	\??\e:	xpajB.exe
File opened (read-only)	\??\h:	xpajB.exe
File opened (read-only)	\??\i:	xpajB.exe
File opened (read-only)	\??\p:	xpajB.exe
File opened (read-only)	\??\g:	xpajB.exe
File opened (read-only)	\??\m:	xpajB.exe
File opened (read-only)	\??\o:	xpajB.exe
File opened (read-only)	\??\t:	xpajB.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
132	raw.githubusercontent.com
133	raw.githubusercontent.com
134	raw.githubusercontent.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\vccorlib140.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationFramework.resources.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\mfc140kor.dll	xpajB.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe	xpajB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ONLNTCOMLIB.DLL	xpajB.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\msvcp140_1.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE	xpajB.exe
File opened for modification	\??\c:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\System.Printing.resources.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\mfc140.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Xml.Linq.dll	xpajB.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\npt.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\7-Zip\7-zip32.dll	xpajB.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\logger\libfile_logger_plugin.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\codec\libqsv_plugin.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Xml.XmlDocument.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clretwrc.dll	xpajB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\mfc140u.dll	xpajB.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jfxwebkit.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.Printing.resources.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL	xpajB.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Reflection.Emit.dll	xpajB.exe
File opened for modification	\??\c:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationClient.resources.dll	xpajB.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\System\Ole DB\msdaorar.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\demux\libnsv_plugin.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\video_output\libdirectdraw_plugin.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.Interfaces.DLL	xpajB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOSPECTRE.DLL	xpajB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\mfc140u.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\VC\msdia100.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\msadcor.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\inktotextengineimm.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationCore.resources.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-xstate-l2-1-0.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\Microsoft.PackageManagement.MetaProvider.PowerShell.resources.dll	xpajB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msotelemetry.dll	xpajB.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\psuser.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\control\libwin_hotkeys_plugin.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinEditors.v11.1.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FPLACE.DLL	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorlib.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Collections.Specialized.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationTypes.resources.dll	xpajB.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\vccorlib140.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\x86\msheif_store.dll	xpajB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-utility-l1-1-0.dll	xpajB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\TextConversionModule.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	xpajB.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Microsoft.Notes.Upgrade.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Specialized.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\video_filter\libmotionblur_plugin.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.DataSetExtensions.Resources.dll	xpajB.exe
File opened for modification	\??\c:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Windows.Presentation.resources.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateSetup.exe	xpajB.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Threading.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.Themes.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe	xpajB.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\d3d9\libdirect3d9_filters_plugin.dll	xpajB.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpySheriff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdwereCleaner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpajB.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x001600000001e37b-380.dat	nsis_installer_1
behavioral2/files/0x001600000001e37b-380.dat	nsis_installer_2

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133719410474902924"	chrome.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA	6AdwCleaner.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA\Blob = 0300000001000000140000008ad5c9987e6f190bd6f5416e2de44ccd641d8cda140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d8040000000100000010000000ff5fbc4290fa389e798467ebd7ae940b0f0000000100000014000000c45627b5584bf62327df60d6185744a2d2f2bcbf190000000100000010000000e843ac3b52ec8c297fa948c9b1fb28195c00000001000000040000000008000018000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c4b0000000100000044000000350034003500370041003800430045003400420032004100370034003900390046003800320039003900410030003100330042003600450031004300370043005f000000200000000100000088040000308204843082036ca0030201020210421af2940984191f520a4bc62426a74b300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3035303630373038303931305a170d3230303533303130343833385a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381f43081f1301f0603551d23041830168014adbd987a34b426f7fac42654ef03bde024cb541a301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d8300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030440603551d1f043d303b3039a037a0358633687474703a2f2f63726c2e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e63726c303506082b0601050507010104293027302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d010105050003820101004d422fa6c18aeb07809058468cf81939662a3c5a2c6dcfd4d987558d790b12887b408fd5c7f84b8d551663adb757dc3b2bbdd3c14f1e03874b449be3e2404526f326492b6a84f1547ad442dafcd36abb667eca9eeae9bbdc07c7c3924e833c81499f92d53209ea492ea111719a36d2c54e68b6cb0e1b2516af6cde5d76d81f72b193268617db18deaf45e9dffb98af1418eda45ef6899445f055044addff27dd064a40f6b4bcf1e40f9902bbfd5d0e2e28c1be3b5f1a3f971084bc163ed8a39c631d66cb5c5fda3ef30f0a093522dbdbc03f00f9e60d5d67d1fda01e032bd940f7becc87665480a6a3b8f51962d5d226b19826ee9acb44a7455a8195151af551	6AdwCleaner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	6AdwCleaner.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	6AdwCleaner.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	6AdwCleaner.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4080	chrome.exe
4080	chrome.exe
2124	chrome.exe
2124	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1164	xpajB.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
3460	6AdwCleaner.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3460	6AdwCleaner.exe
3460	6AdwCleaner.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 2472	4080	chrome.exe	95
PID 4080 wrote to memory of 2472	4080	chrome.exe	95
PID 4080 wrote to memory of 3432	4080	chrome.exe	96
PID 4080 wrote to memory of 3432	4080	chrome.exe	96
PID 4080 wrote to memory of 3432	4080	chrome.exe	96
PID 4080 wrote to memory of 3432	4080	chrome.exe	96
PID 4080 wrote to memory of 3432	4080	chrome.exe	96
PID 4080 wrote to memory of 3432	4080	chrome.exe	96
PID 4080 wrote to memory of 3432	4080	chrome.exe	96
PID 4080 wrote to memory of 3432	4080	chrome.exe	96
PID 4080 wrote to memory of 3432	4080	chrome.exe	96
PID 4080 wrote to memory of 3432	4080	chrome.exe	96
PID 4080 wrote to memory of 3432	4080	chrome.exe	96
PID 4080 wrote to memory of 3432	4080	chrome.exe	96
PID 4080 wrote to memory of 3432	4080	chrome.exe	96
PID 4080 wrote to memory of 3432	4080	chrome.exe	96
PID 4080 wrote to memory of 3432	4080	chrome.exe	96
PID 4080 wrote to memory of 3432	4080	chrome.exe	96
PID 4080 wrote to memory of 3432	4080	chrome.exe	96
PID 4080 wrote to memory of 3432	4080	chrome.exe	96
PID 4080 wrote to memory of 3432	4080	chrome.exe	96
PID 4080 wrote to memory of 3432	4080	chrome.exe	96
PID 4080 wrote to memory of 3432	4080	chrome.exe	96
PID 4080 wrote to memory of 3432	4080	chrome.exe	96
PID 4080 wrote to memory of 3432	4080	chrome.exe	96
PID 4080 wrote to memory of 3432	4080	chrome.exe	96
PID 4080 wrote to memory of 3432	4080	chrome.exe	96
PID 4080 wrote to memory of 3432	4080	chrome.exe	96
PID 4080 wrote to memory of 3432	4080	chrome.exe	96
PID 4080 wrote to memory of 3432	4080	chrome.exe	96
PID 4080 wrote to memory of 3432	4080	chrome.exe	96
PID 4080 wrote to memory of 3432	4080	chrome.exe	96
PID 4080 wrote to memory of 5044	4080	chrome.exe	97
PID 4080 wrote to memory of 5044	4080	chrome.exe	97
PID 4080 wrote to memory of 872	4080	chrome.exe	98
PID 4080 wrote to memory of 872	4080	chrome.exe	98
PID 4080 wrote to memory of 872	4080	chrome.exe	98
PID 4080 wrote to memory of 872	4080	chrome.exe	98
PID 4080 wrote to memory of 872	4080	chrome.exe	98
PID 4080 wrote to memory of 872	4080	chrome.exe	98
PID 4080 wrote to memory of 872	4080	chrome.exe	98
PID 4080 wrote to memory of 872	4080	chrome.exe	98
PID 4080 wrote to memory of 872	4080	chrome.exe	98
PID 4080 wrote to memory of 872	4080	chrome.exe	98
PID 4080 wrote to memory of 872	4080	chrome.exe	98
PID 4080 wrote to memory of 872	4080	chrome.exe	98
PID 4080 wrote to memory of 872	4080	chrome.exe	98
PID 4080 wrote to memory of 872	4080	chrome.exe	98
PID 4080 wrote to memory of 872	4080	chrome.exe	98
PID 4080 wrote to memory of 872	4080	chrome.exe	98
PID 4080 wrote to memory of 872	4080	chrome.exe	98
PID 4080 wrote to memory of 872	4080	chrome.exe	98
PID 4080 wrote to memory of 872	4080	chrome.exe	98
PID 4080 wrote to memory of 872	4080	chrome.exe	98
PID 4080 wrote to memory of 872	4080	chrome.exe	98
PID 4080 wrote to memory of 872	4080	chrome.exe	98
PID 4080 wrote to memory of 872	4080	chrome.exe	98
PID 4080 wrote to memory of 872	4080	chrome.exe	98
PID 4080 wrote to memory of 872	4080	chrome.exe	98
PID 4080 wrote to memory of 872	4080	chrome.exe	98
PID 4080 wrote to memory of 872	4080	chrome.exe	98
PID 4080 wrote to memory of 872	4080	chrome.exe	98
PID 4080 wrote to memory of 872	4080	chrome.exe	98
PID 4080 wrote to memory of 872	4080	chrome.exe	98

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Screenshot 2024-09-24 2.11.17 PM.png"
1⤵
PID:3060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffba9aacc40,0x7ffba9aacc4c,0x7ffba9aacc58
  2⤵
  PID:2472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1796,i,3284579169150903457,10864266701426085497,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1792 /prefetch:2
  2⤵
  PID:3432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2164,i,3284579169150903457,10864266701426085497,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2068 /prefetch:3
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,3284579169150903457,10864266701426085497,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2436 /prefetch:8
  2⤵
  PID:872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,3284579169150903457,10864266701426085497,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3408,i,3284579169150903457,10864266701426085497,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:4172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4548,i,3284579169150903457,10864266701426085497,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4540 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4688,i,3284579169150903457,10864266701426085497,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4700 /prefetch:8
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4824,i,3284579169150903457,10864266701426085497,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4832 /prefetch:8
  2⤵
  PID:436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5012,i,3284579169150903457,10864266701426085497,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5068,i,3284579169150903457,10864266701426085497,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  PID:4024
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:3660
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff6ee644698,0x7ff6ee6446a4,0x7ff6ee6446b0
    3⤵
    PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4876,i,3284579169150903457,10864266701426085497,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4788 /prefetch:1
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4016,i,3284579169150903457,10864266701426085497,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4456 /prefetch:1
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5516,i,3284579169150903457,10864266701426085497,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  PID:4348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5532,i,3284579169150903457,10864266701426085497,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3360 /prefetch:8
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3184,i,3284579169150903457,10864266701426085497,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  PID:60
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3396,i,3284579169150903457,10864266701426085497,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5808 /prefetch:8
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3384,i,3284579169150903457,10864266701426085497,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5864 /prefetch:8
  2⤵
  PID:2844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4908,i,3284579169150903457,10864266701426085497,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3720 /prefetch:8
  2⤵
  PID:3828
- C:\Users\Admin\Downloads\SpySheriff.exe
  "C:\Users\Admin\Downloads\SpySheriff.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5512,i,3284579169150903457,10864266701426085497,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:4360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3484,i,3284579169150903457,10864266701426085497,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=860 /prefetch:8
  2⤵
  PID:4508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5324,i,3284579169150903457,10864266701426085497,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4488 /prefetch:8
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5268,i,3284579169150903457,10864266701426085497,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5780 /prefetch:8
  2⤵
  PID:1504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3392,i,3284579169150903457,10864266701426085497,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5116,i,3284579169150903457,10864266701426085497,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5616 /prefetch:8
  2⤵
  PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3356,i,3284579169150903457,10864266701426085497,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5220,i,3284579169150903457,10864266701426085497,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  PID:2372
- C:\Users\Admin\Downloads\AdwereCleaner.exe
  "C:\Users\Admin\Downloads\AdwereCleaner.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2392
- - C:\Users\Admin\AppData\Local\6AdwCleaner.exe
    "C:\Users\Admin\AppData\Local\6AdwCleaner.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies system certificate store
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:3460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5680,i,3284579169150903457,10864266701426085497,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5400 /prefetch:8
  2⤵
  PID:3720
- C:\Users\Admin\Downloads\xpajB.exe
  "C:\Users\Admin\Downloads\xpajB.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=6172,i,3284579169150903457,10864266701426085497,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6164 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2124

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

Filesize
1.7MB

MD5
c606bd7c9c733dd27f74157c34e51742

SHA1
aab92689723449fbc3e123fb614dd536a74b74d4

SHA256
606390649012b31b5d83630f1186562e4b1ce4023d8870d8c29eb62e7e0769e0

SHA512
5f8fabe3d9753413d1aedcc76b9568c50dd25a5a6aeacd1ce88aecc28c0ba96dac80177679d380708213a0997946e49383bdaca7114c8c9526a24ed999194e38

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msvcp140.dll

Filesize
613KB

MD5
c1b066f9e3e2f3a6785161a8c7e0346a

SHA1
8b3b943e79c40bc81fdac1e038a276d034bbe812

SHA256
99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd

SHA512
36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vcruntime140.dll

Filesize
83KB

MD5
1453290db80241683288f33e6dd5e80e

SHA1
29fb9af50458df43ef40bfc8f0f516d0c0a106fd

SHA256
2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

SHA512
4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

Download Submit
C:\Users\Admin\AppData\Local\6AdwCleaner.exe

Filesize
168KB

MD5
87e4959fefec297ebbf42de79b5c88f6

SHA1
eba50d6b266b527025cd624003799bdda9a6bc86

SHA256
4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61

SHA512
232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
37fbc01d18f9d27825d5275df5d7aa68

SHA1
3608e635e15aa6f9f94d91004c621a06713db267

SHA256
25c4f36d32c5de80bb6c9ca432bb825769bef924450a2ea626a9c4e558aa5eb2

SHA512
cd1834984d5aaed1964eb0b7f05c36cada2f7d8c1ba96af4be7ed08da2f30ca9dc32d7a24f62137172c83122985a2572e5e71cbe1f3c68b8f68485e893ebbc01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
74a872607676c0715e3088fa6bbace06

SHA1
5371b982437872b324a1e3fc72e1e23fa671625f

SHA256
78dea153dfef8c664a0ff45c948428ddc6e69159768856e4364bf7fbfb3b6920

SHA512
9b6928d0d9645c4588852716111e55fff8b86a52089bded99724efc5f62c7da7704740e1eb147a00070e7954e9307ab8f3485ffd72e63f713ba26d597f35c360

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
ebfc8698c64345c1619495dfab39a4a8

SHA1
9b68e96e643129b1c4b05f9039a76d5b7166fe63

SHA256
e823b96df922734ebdbd9226f5a1dbe28facc490e4c0d98816859949c7a742a2

SHA512
33f806c6a662b99f078696ce768d06e5e1215c2910c8dba9ae3375d3ffd399b114891a1ed3b8f8143fc5c23430286474d0b75d0414073dbe6ecb264b7f0809fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
6db671d5dea88be766e6a24289d1919f

SHA1
65de2cd8bb2e0b63edc16bba8a3490365d0b83ad

SHA256
dcb3f857357399a6648774536d9de17ae69b6fe43a56cb113d37421ac404792e

SHA512
c22a16d55536453e85d09c989bd08ca41fed7758bd408626c9551dfbce9fb0f369c5aa158b75d9347d9380d1bc1aa659ab9414b08347748475a3a20368e9e8f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
27a3ddcc5f889f8e1c8785b58152bd07

SHA1
5e33094762ecd9bf708d5c3dd18dc4aac1bd0ba0

SHA256
f2ccc1929948213f0e692fc4673cb330ea64b0bfe6408c6a811fb80871b87aa3

SHA512
6e43d135db7856bd96d354e55b88f27e7ffb88657a9844c23f530cc65f96b76a9dd5896172f89562c56f0038bfc8382fcca71530ff5ab9077dc74ec354dfc5e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
649f0aa53d305a8c937e6d0c423691de

SHA1
3a2aa28419cd01cfa55785297f725bf6fe5cd92b

SHA256
16261bec8cf508499aee98286c4aa9199d4671c608643a7d549abe87e83404f5

SHA512
91d639c04edeab07a5d49b17b2cc648385701777f27c64bba2e3276b263514f49bf95585a85e47fe928dc1a5e89554c2f93e320a6b1cf3e0d9dd26471be1ee7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
239fe6472e863606f663d4e0beae7448

SHA1
c54baf0077876008909928eaf8d2cb50783bc5a8

SHA256
4bccbd6370bf63652a7fee2506ad3e8a76fe1b5ffb3931c727b30ab45e60f562

SHA512
9842413cc425ed492b162d2b82a6495dd91d80fb1d27e572ced4d0627714613fb869a2c874baa3342d1e741cba4a09024b6d693a35619526fe7b3fa1441b6bdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9b08da9f30b0c490eaaeb91f363060c5

SHA1
067e0d2a95c88494f09b9d0893e05ef64f536e8e

SHA256
ee9b332c036b0c9627265c1477487c9c7094aa897f5e501bc4eb3f6f5181c25a

SHA512
c8e9222d804059c004afa7166e14556a7ce037d369c562ba4e1bbb6ccbed6c7db1e5030cade48157df40173a5bd2868dbd36a1fe6e8fa77b02082070e439f332

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f361ccd4e046266f8810cd19497b157a

SHA1
350d112858432b4e0d961d8786f9fe2a2d63d383

SHA256
133257a80c12b9c99a49b84e9fd88300b76b791ba2e9a1b837fcae018acb2ab5

SHA512
cb0e778c673c43f5f4ad7ba8e8b68d1e28e3c23174702393dd2aeafa582fc1f504a91fc1617af85d0f22b67e44eb809beb1250a42c683aad67e9e56f5b4d7f93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
2d72dc303f1f5284db83fcf45576fd4e

SHA1
89d38fef6d878d4fbc81b28c0a12fa8fab7e8999

SHA256
9927b7465590fee1a5d835b3da4ae596cfc9c7fc71fea1c23cd86f1dc0b984ed

SHA512
162e19316e356f8347c5ba9fef5df6a4ec237bc1b615dbebbc5e0c1e9e15c1d9444aaff789eb231960198b9a83016b2bd65bfaa5b767a447f1851ae6cf9520f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
88dff30da94581e22ecd8b1e6fceb588

SHA1
faf72673e14b87ad615f7c9931df50f0b23cc178

SHA256
20266851a975b3007e2c6c71a8edcfc84764a3cf45c92453a6228b4229fa9de0

SHA512
58c8cd1464e8b7e7d274239d962158657c57d2e451021665f3600fe312ebb1e43113d0503670fbe3835753cf04eb1b0b9d76d6e3bf40e0c946b0ce20c8422f0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0988c4383d1f237c5a2c11b7c73f3438

SHA1
178f79017e44b6dc5e6129ef6525dab78c02b2b7

SHA256
747e9047eb46a0a51aca4d509acbce89191857b34e33c1d3d1fb6c7e3407e2c3

SHA512
4ced3eb61dcd6136d590facfcaba54737e16c5c1a6b7010b81867c01be45af40982883d16eb1c78eaede095e45ecd6ca0867cc24fb287bd8fc9fdc1785c0b2b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
718861de2e8d5deeb31e269fcf3f460e

SHA1
731615a3b9ad5f7a3cff4f5b4bc08142ab89d541

SHA256
203537b41662c92df4b0daedda470b986320b680eed7092b128800921eab37e4

SHA512
1e297e7bdb6853a1ecd38f031105bacf6494bb22038b133da39dfe101befb75eb23d792db9bd402a23d7ce35fe5204390173bdfd2e3bb4bd0ff88123f73ef020

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4a1666f404a5f37b31d13d81b24c776d

SHA1
2f7481f0a14f6c5e97ebe19160cb00f92e605d13

SHA256
96d9bd0cd02ffe42dd0acd27589281f7fda1f0f538d7fe30ff982e0f1132e7f4

SHA512
5ec3a993caf4a5640324306d551473343af6196f08742e75e4a43a3458fff428905758ef23266b4ed0f1506e699c48d80044845ac7a968d9aa1344d164e8586f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
13ea906a5ff0bc692056ccc3130dbb3e

SHA1
2d8cae05083ed6c2d304c54a482c9fcd36027b7f

SHA256
f263adedf4a6f99530b37052b4d3b7dbe1b73166e01a069b670b531927949104

SHA512
115f694677077ee05c65d3851c74a5538d82c4303debeb516d0692ad96ca65f1a42230761b98e5212b3718612181d1e579450ba548377e4b7edb41f82d10ae15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e2b6f772108ead43499f0a2b52fd75e9

SHA1
cf51c00b4427b93649799758d71b600774450eeb

SHA256
670e6160ae9f1ae105d11ad354cfa6efe5ac2c9ed017cfdd350036ab70501669

SHA512
43f5dba5284a85a15b022f5cb9636f358ca4f5b267324ca5358c311f7c6eeb0ba68ceafa9a6642c4d4958928f7ab00c2325a96f7b18a78b64abde0cdf1c2ab6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3bbf53ebfed59db4e9455db536b6c8a9

SHA1
f09605297ba3724285fc21272d402d68dbcdd518

SHA256
e8045a3308823a14f210a7404f3bea0e3127d09b50c2d31f2345e99058610b71

SHA512
e702790dd2412b98727bdd99a6d9ec668c13f2fe99350cb2177f2673787bce6878849f61caa4b99fd5e36abb5b86d4b3e8f11d89cfd0b62b646e4e0bff74fdd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
942423b3e759b8f7820866590f20ac8c

SHA1
30f243cc148c3e675d09a0d89a6bc0069c9ea150

SHA256
cddbbf3b04ba7069447df3bd09127de874d378d71da95d77ec47d9542521d0ca

SHA512
7652433ef1b43037646d68223d61fc6cf4430b68d59ee4626e5b13a816bc7a3a6abc4135004d9246fb1b798637b6e2565427e13d73a7b2be6a936b6de1a7f71c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
703a7f14abb24f985c9fbf35f466760b

SHA1
e0e378280ea822b390314a64f3e88b565f586394

SHA256
5f1f2c690859920aa33dd10cc1484eaf9a419edc7c5259f2a7e592491698d7fa

SHA512
a78f4fae842ea9ed0b561c3b09df1b55cf3831ed8a80f67ea89bc3aa84b269854b4b62c2972179d6aab25da8c99e5c29acaba0ba476cb7f9ca948b0b5ad18f8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9d3f570cf1fd47563c341b206da244bc

SHA1
93a4d5aae3d90c8ff27aa0ecc53f9c40057e957c

SHA256
271ba1a85a30cfefa9e77ceb974fef93b3da7ee67b9d5c65cd99d9b6715923f4

SHA512
341a6261a35ac3d89381e1ab248fe7fc70db5daa5105fec0db9aad8a99571322c0e49c207d373eaf1a83067f517c35b803bde45631d5d7c4424e13541a8d9e25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
17ace917df55c6d0941328fb3c7a13d0

SHA1
e0f04edd910085cf1d2eb13bffcd25bbc0b0a95d

SHA256
410cf5c5e43606318fc2b81afef7b68afbede284356f9f8272ac2390a98057e7

SHA512
3092aab8dd9059066a82c600058bfb6ab1cbb9ad402c796c165e074ddcf67ac81baf33770394726baa1a61ac1a8277bb3e05a7006f9520f2b88a72308c212a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
d5c102f1dbaeaeb0dc75a8842c9cbd82

SHA1
cdea596121429eee61e487b6c1ecf5ac8edd416b

SHA256
e3d4d46cc28cca8c9b4e58f4e2e7815b2c16b3a1d3584c93ee36194467b921da

SHA512
80949c9c76fba67df08c2fc32b384767da0ceb5a927853f45b6a7bc5814ee50cffb8b7f84094732347262f16a2338cb5ca1a438f604e73566713ccf860cf45d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
b220fad758e8c15cbae6e7451fdb91f7

SHA1
70f3c953f89a6873f2b8b12939f9e795569ae698

SHA256
e1ace18d8bcbad21956ec8ca7e62b5a61ec78004f193ed1bc4f2545f2121bab4

SHA512
a5cea8f6e8fcc13ec64663c247f59f1953894282b026f7b97057250ef37b0f94075de09f61ed11719de1251d06d36a83c502261c484981e728a0545f36a0e4d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
8084d2c57551306b0a7fa6e992e68d5e

SHA1
0bc27784961f48394ae78e7c45e1dcb382c79bf2

SHA256
13d5e6cc952204641084bcda411986099527a30c80e963eadf35fba522ef0099

SHA512
edd7d38dd8deb27268afd2ef25d7fb3bd3ba330cbe2599f64d992f652b502f0464075f853bcab1d0864d6adeeaa794330905a28daa7882d5aa627a3de48dcdd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
65131f42ddcb61161155d07938690535

SHA1
6cb759c0d0bea5c80f8c9bfd58fc14237722a923

SHA256
38b14a320205aab2572a64b501897c17c356d4d9371b1c4fbcab524ad10720cf

SHA512
30adb549b611d1f5bb46940866c2c19f9811fbd7fd739382b4ace68705efed751a032497a848a5c1df74c7e0fed2c62305d649c465e276062436dcadd7f675a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
e137070cbf825b545e4bc675213ba30f

SHA1
9d67f876f8643f2b3fc43b8764eaa8f4e10885cc

SHA256
04bcc7272418abad1f13fab3f985414e043bb2b81a0d61cc23f26b466908eaa5

SHA512
5247d35d0d4103592fae906882603db1c5474176f1eb08fb8d759e2db12f5da5d4635634934f88093397a6dff716961ab5a80194a62dcf58ec3fe3768463d6cb

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 513525.crdownload

Filesize
190KB

MD5
248aadd395ffa7ffb1670392a9398454

SHA1
c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5

SHA256
51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc

SHA512
582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 565596.crdownload

Filesize
520KB

MD5
bd76fc01deed43cd6e368a1f860d44ed

SHA1
a2e241e9af346714e93c0600f160d05c95839768

SHA256
e04c85cd4bffa1f5465ff62c9baf0b29b7b2faddf7362789013fbac8c90268bf

SHA512
d0ebe108f5baf156ecd9e1bf41e23a76b043fcaac78ff5761fdca2740b71241bd827e861ada957891fbc426b3d7baa87d10724765c45e25f25aa7bd6d31ab4ec

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 827995.crdownload

Filesize
48KB

MD5
ab3e43a60f47a98962d50f2da0507df7

SHA1
4177228a54c15ac42855e87854d4cd9a1722fe39

SHA256
4f5f0d9a2b6ef077402a17136ff066dda4c8175ceb6086877aaa3570cabb638f

SHA512
9e3365c7860c4766091183d633462f1cc8c30d28871ae2cd8a9a086ce61c0bccf457f919db6826b708f0cf4f88e90f71185420edc4756b7d70137e2096f8797f

Download Submit
memory/1164-499-0x0000000001F20000-0x0000000001F23000-memory.dmp

Filesize
12KB

Download
memory/1164-510-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1164-500-0x0000000000640000-0x0000000000664000-memory.dmp

Filesize
144KB

Download
memory/1164-498-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1164-630-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1164-631-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1164-632-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1164-633-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1164-634-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1164-635-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1164-636-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1164-637-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1164-638-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1164-639-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1164-640-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1164-641-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1164-642-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1164-643-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1164-644-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1164-645-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1164-646-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1164-647-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1164-648-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1164-649-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1164-651-0x0000000000640000-0x0000000000664000-memory.dmp

Filesize
144KB

Download
memory/1164-652-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3460-658-0x0000000022610000-0x0000000022DB6000-memory.dmp

Filesize
7.6MB

Download
memory/3460-455-0x0000000000B90000-0x0000000000BBE000-memory.dmp

Filesize
184KB

Download
memory/3516-391-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3516-312-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download