1e886aec89dee2b72e76443beffd56c9081a665647acc29efceda02bbbf89aef

Analysis

max time kernel
205s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sunucu Kopyalayıcı.exe
Size

11.0MB
MD5

4927e57c08c79469e63c6df3ba25e8aa
SHA1

dd74eae8aead001a3d06951ec15238106a7a4901
SHA256

1e886aec89dee2b72e76443beffd56c9081a665647acc29efceda02bbbf89aef
SHA512

7b4a8f08473c4420d3d9b021d95772c91dfdf683ec5b763f94ef92629cfd0311094c13650adb756dea8e4272ad99567139a4f4171f64c7a28bffe88c710ad35a
SSDEEP

196608:FVtgesW+buXVw1/wbITLwOjUqiICteEroXxo3zlxZV3Gu5D4S26/CS33LnGNLowH:So+d1obI/wInEroXW14S267GJ/zU2

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 27 IoCs

pid	Process
2904	Sunucu Kopyalayıcı.exe
2904	Sunucu Kopyalayıcı.exe
2904	Sunucu Kopyalayıcı.exe
2904	Sunucu Kopyalayıcı.exe
2904	Sunucu Kopyalayıcı.exe
2904	Sunucu Kopyalayıcı.exe
2904	Sunucu Kopyalayıcı.exe
2904	Sunucu Kopyalayıcı.exe
2904	Sunucu Kopyalayıcı.exe
2904	Sunucu Kopyalayıcı.exe
2904	Sunucu Kopyalayıcı.exe
2904	Sunucu Kopyalayıcı.exe
2904	Sunucu Kopyalayıcı.exe
2904	Sunucu Kopyalayıcı.exe
2904	Sunucu Kopyalayıcı.exe
2904	Sunucu Kopyalayıcı.exe
2904	Sunucu Kopyalayıcı.exe
2904	Sunucu Kopyalayıcı.exe
2904	Sunucu Kopyalayıcı.exe
2904	Sunucu Kopyalayıcı.exe
2904	Sunucu Kopyalayıcı.exe
2904	Sunucu Kopyalayıcı.exe
2904	Sunucu Kopyalayıcı.exe
2904	Sunucu Kopyalayıcı.exe
2904	Sunucu Kopyalayıcı.exe
2904	Sunucu Kopyalayıcı.exe
2904	Sunucu Kopyalayıcı.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133607177491707589"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
3860	chrome.exe
3860	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	Sunucu Kopyalayıcı.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe
Token: SeCreatePagefilePrivilege	4368	chrome.exe
Token: SeShutdownPrivilege	4368	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe
4368	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4180 wrote to memory of 2904	4180	Sunucu Kopyalayıcı.exe	85
PID 4180 wrote to memory of 2904	4180	Sunucu Kopyalayıcı.exe	85
PID 2904 wrote to memory of 4692	2904	Sunucu Kopyalayıcı.exe	86
PID 2904 wrote to memory of 4692	2904	Sunucu Kopyalayıcı.exe	86
PID 2904 wrote to memory of 4444	2904	Sunucu Kopyalayıcı.exe	88
PID 2904 wrote to memory of 4444	2904	Sunucu Kopyalayıcı.exe	88
PID 2904 wrote to memory of 2192	2904	Sunucu Kopyalayıcı.exe	89
PID 2904 wrote to memory of 2192	2904	Sunucu Kopyalayıcı.exe	89
PID 4368 wrote to memory of 4400	4368	chrome.exe	113
PID 4368 wrote to memory of 4400	4368	chrome.exe	113
PID 4368 wrote to memory of 4464	4368	chrome.exe	114
PID 4368 wrote to memory of 4464	4368	chrome.exe	114
PID 4368 wrote to memory of 4464	4368	chrome.exe	114
PID 4368 wrote to memory of 4464	4368	chrome.exe	114
PID 4368 wrote to memory of 4464	4368	chrome.exe	114
PID 4368 wrote to memory of 4464	4368	chrome.exe	114
PID 4368 wrote to memory of 4464	4368	chrome.exe	114
PID 4368 wrote to memory of 4464	4368	chrome.exe	114
PID 4368 wrote to memory of 4464	4368	chrome.exe	114
PID 4368 wrote to memory of 4464	4368	chrome.exe	114
PID 4368 wrote to memory of 4464	4368	chrome.exe	114
PID 4368 wrote to memory of 4464	4368	chrome.exe	114
PID 4368 wrote to memory of 4464	4368	chrome.exe	114
PID 4368 wrote to memory of 4464	4368	chrome.exe	114
PID 4368 wrote to memory of 4464	4368	chrome.exe	114
PID 4368 wrote to memory of 4464	4368	chrome.exe	114
PID 4368 wrote to memory of 4464	4368	chrome.exe	114
PID 4368 wrote to memory of 4464	4368	chrome.exe	114
PID 4368 wrote to memory of 4464	4368	chrome.exe	114
PID 4368 wrote to memory of 4464	4368	chrome.exe	114
PID 4368 wrote to memory of 4464	4368	chrome.exe	114
PID 4368 wrote to memory of 4464	4368	chrome.exe	114
PID 4368 wrote to memory of 4464	4368	chrome.exe	114
PID 4368 wrote to memory of 4464	4368	chrome.exe	114
PID 4368 wrote to memory of 4464	4368	chrome.exe	114
PID 4368 wrote to memory of 4464	4368	chrome.exe	114
PID 4368 wrote to memory of 4464	4368	chrome.exe	114
PID 4368 wrote to memory of 4464	4368	chrome.exe	114
PID 4368 wrote to memory of 4464	4368	chrome.exe	114
PID 4368 wrote to memory of 4464	4368	chrome.exe	114
PID 4368 wrote to memory of 4464	4368	chrome.exe	114
PID 4368 wrote to memory of 3652	4368	chrome.exe	115
PID 4368 wrote to memory of 3652	4368	chrome.exe	115
PID 4368 wrote to memory of 400	4368	chrome.exe	116
PID 4368 wrote to memory of 400	4368	chrome.exe	116
PID 4368 wrote to memory of 400	4368	chrome.exe	116
PID 4368 wrote to memory of 400	4368	chrome.exe	116
PID 4368 wrote to memory of 400	4368	chrome.exe	116
PID 4368 wrote to memory of 400	4368	chrome.exe	116
PID 4368 wrote to memory of 400	4368	chrome.exe	116
PID 4368 wrote to memory of 400	4368	chrome.exe	116
PID 4368 wrote to memory of 400	4368	chrome.exe	116
PID 4368 wrote to memory of 400	4368	chrome.exe	116
PID 4368 wrote to memory of 400	4368	chrome.exe	116
PID 4368 wrote to memory of 400	4368	chrome.exe	116
PID 4368 wrote to memory of 400	4368	chrome.exe	116
PID 4368 wrote to memory of 400	4368	chrome.exe	116
PID 4368 wrote to memory of 400	4368	chrome.exe	116
PID 4368 wrote to memory of 400	4368	chrome.exe	116
PID 4368 wrote to memory of 400	4368	chrome.exe	116
PID 4368 wrote to memory of 400	4368	chrome.exe	116
PID 4368 wrote to memory of 400	4368	chrome.exe	116
PID 4368 wrote to memory of 400	4368	chrome.exe	116
PID 4368 wrote to memory of 400	4368	chrome.exe	116

C:\Users\Admin\AppData\Local\Temp\Sunucu Kopyalayıcı.exe
"C:\Users\Admin\AppData\Local\Temp\Sunucu Kopyalayıcı.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Users\Admin\AppData\Local\Temp\Sunucu Kopyalayıcı.exe
  "C:\Users\Admin\AppData\Local\Temp\Sunucu Kopyalayıcı.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c title Kler Cloner - Developed by klerlow
    3⤵
    PID:4692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2192

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdb371ab58,0x7ffdb371ab68,0x7ffdb371ab78
  2⤵
  PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1820,i,3170023804489692782,9557468976854614403,131072 /prefetch:2
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1820,i,3170023804489692782,9557468976854614403,131072 /prefetch:8
  2⤵
  PID:3652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1820,i,3170023804489692782,9557468976854614403,131072 /prefetch:8
  2⤵
  PID:400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3080 --field-trial-handle=1820,i,3170023804489692782,9557468976854614403,131072 /prefetch:1
  2⤵
  PID:4204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3108 --field-trial-handle=1820,i,3170023804489692782,9557468976854614403,131072 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3608 --field-trial-handle=1820,i,3170023804489692782,9557468976854614403,131072 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4300 --field-trial-handle=1820,i,3170023804489692782,9557468976854614403,131072 /prefetch:8
  2⤵
  PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4604 --field-trial-handle=1820,i,3170023804489692782,9557468976854614403,131072 /prefetch:8
  2⤵
  PID:4248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4300 --field-trial-handle=1820,i,3170023804489692782,9557468976854614403,131072 /prefetch:8
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4780 --field-trial-handle=1820,i,3170023804489692782,9557468976854614403,131072 /prefetch:8
  2⤵
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 --field-trial-handle=1820,i,3170023804489692782,9557468976854614403,131072 /prefetch:8
  2⤵
  PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 --field-trial-handle=1820,i,3170023804489692782,9557468976854614403,131072 /prefetch:8
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 --field-trial-handle=1820,i,3170023804489692782,9557468976854614403,131072 /prefetch:8
  2⤵
  PID:2368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3944 --field-trial-handle=1820,i,3170023804489692782,9557468976854614403,131072 /prefetch:8
  2⤵
  PID:768
- C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:316
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff630d3ae48,0x7ff630d3ae58,0x7ff630d3ae68
    3⤵
    PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2480 --field-trial-handle=1820,i,3170023804489692782,9557468976854614403,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3860

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
931964c10100526a1045de55273d8c7c

SHA1
8ad1684a704950eb0ed3bf8a1f3772b37deed7da

SHA256
d66deb87fcdffd7712e7205fb7a9ba194ee2baad6f62bcc1ded9a5c148c6f185

SHA512
3144299f82f3d4de3a757cff12cff989ecdb98e78658204cacf43ce9d5707bb3b0068a82324259139477c7305e6b1f0fb58fe56023ac1cb1e17c5668a0dd6c1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\dfac5bef-1b6d-4aae-8b36-b92c1280a1d4.tmp

Filesize
356B

MD5
e8a87639abc64ea73349f43189cf6d9f

SHA1
b0528a118f42fe56c32f2cfb855691d56c260236

SHA256
baa74a2ff90ce4bdc5bacb5b98982997caabaf24ceb120ef677a477849d24543

SHA512
3e99cbf112697a132e3623d491152b3165eed2dae9ba010fc32d76463718fae9e106e97c9ce0942ee3c5b32411a449c153f4aaddd048e5fe762fd70d4816d05b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8224e802c4add7d9dbe717af99bfbd5f

SHA1
c6ceb7099816e02af54285c7570dbaa0b2d083c7

SHA256
beacfbe1f087fe9a874f40f6ddb9caa33032d719aec9f786ed4bfa55e9a25e7f

SHA512
50fd3e7cf4b2dd19da99aa0e3477c08147152354d5c3fe1457026b3e7969509b99e289a67368d1e44e7771da30f613fe6642d1d49c44319d2c2a108fc862ebdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
0a8b56e1ee6927de55e2ac2aa8b26592

SHA1
07d7fcdb0c9460b58576245cb8f4d679f1d6210c

SHA256
3fe29ee180beaaca87275d4f2fb67aa1674bf39111a8087f7a6621efc910f08f

SHA512
738e2e3f700f402c0bd4f9ea2b5867d4a92eca9ee13117b803e0081f663dc0acc3d1adad21bcf5bcfc6aa194f524e7f807e13d46b44adbcd43ece46cae6ae166

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
1a04bce19907425c4d1822ba01dd9dea

SHA1
f9a4f0e15d3f8a2e25e3c4a912846f0e11d2dd56

SHA256
a9183d71fa166bd6d9e8f6633b42c912ca08a3d8991662a3970d6ec9878e40ca

SHA512
1e0557398befc14388730a2d849631e3dab926919a0471554565a5ba6a1ae0fb762d955356999485580efdcc073371434552fa099af1ceda6e750f7d30b5c6e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
262KB

MD5
16169b94d813f9b7b2c2dc3c7f79b3b7

SHA1
a8ba639cf53396b5d9dd4ec875c8af2c17b1b471

SHA256
5c0f7fc1e38ece4bca5852c78bfdfc7d785efdb2fe7d32644345c8deb10375c1

SHA512
f395890cddb57ba26201302b2c8223799390cdb80b4e8eed648c670ed0f1920be08dfdb6906ed3dba92009c88aff2a666cc370fb0b50411c3a2baca5cd6b7804

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
262KB

MD5
bdfc44e64b9a86bb8aa68e00c4ee2de7

SHA1
dd93b61d2acc858d38133d2d6bf88adb7b709ca8

SHA256
629109ad3ced0293b8acb0f6369e87eab1891486a072db6bf6b19726e21004f6

SHA512
9f68b621423d23b67503167e11c69342f04d7ad9a43613ac3de0e3c3f7e6d62df6786fdbce328b244aefc7fc63fdcc6890792ba84b15281d05acdb1934f849b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
280KB

MD5
9f387e6fb34f777e92c9ba09dfbec54c

SHA1
9a939c5fe7cfd6762ee4e1274551dbfad580dc47

SHA256
f708e520ec39776bf62199d0716d1fb3786507e85d9c47c011b31c83b66c7e77

SHA512
1cf259f0cbb48676083f028165b1b58a98da2a0d56b219e82240b3959fe846f3a5aeb56e1efa011bdc36c69cf3bd363b3abf0054df8a4a93106370dd3319399b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
262KB

MD5
1216aae17e939655ba7d3bacc841b633

SHA1
adaaccdfe1f48d94737f00f6bce3d18c66a2f361

SHA256
5b32748cc398e69aa0eb366d2dc8940e75404edc68d99d64dd7aa30556d3f16b

SHA512
821332f5baf6de5bb806017cb1021af4c8942c07e7ece1bdbe6eb05db491cf4715261c61887d289b526c88c870a4481e877eb275d11afb12f99d504a58fbff6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
92KB

MD5
8700aec6a02830abc85744d1286cfe49

SHA1
e8d452785d853a3186a5f0b2d87e8d2f49240721

SHA256
25d7cb07916c216345de701c764dc32a2c1965d72b40302cc83126e0cee41e9e

SHA512
5093c10d7ca7895af1e6018a6b2e3e809893650dbbe35a89f5db390f4342f37f218982db1d99a6903d9c963222981975b2b374294177a33c4b82e99495d5e3ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58e6d1.TMP

Filesize
89KB

MD5
aa591736e3280ee0d0837112e0332c4a

SHA1
40b54529b905edbcbb594c60575f61bb78297556

SHA256
73567c7720d1ad9126411d9f2d1a84bbfe1fac9cefef5097034a817dc9d9a4e8

SHA512
c062d20b8a976eae9930140f748171bfcbe1200579f62e0d1855ff8db256323281b9bc36a11be9fff0ab3b7f389fb70b6664fc98667f8942a07ed71104383e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41802\MSVCP140.dll

Filesize
553KB

MD5
6da7f4530edb350cf9d967d969ccecf8

SHA1
3e2681ea91f60a7a9ef2407399d13c1ca6aa71e9

SHA256
9fee6f36547d6f6ea7ca0338655555dba6bb0f798bc60334d29b94d1547da4da

SHA512
1f77f900215a4966f7f4e5d23b4aaad203136cb8561f4e36f03f13659fe1ff4b81caa75fef557c890e108f28f0484ad2baa825559114c0daa588cf1de6c1afab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41802\VCRUNTIME140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41802\VCRUNTIME140_1.dll

Filesize
36KB

MD5
7667b0883de4667ec87c3b75bed84d84

SHA1
e6f6df83e813ed8252614a46a5892c4856df1f58

SHA256
04e7ccbdcad7cbaf0ed28692fb08eab832c38aad9071749037ee7a58f45e9d7d

SHA512
968cbaafe416a9e398c5bfd8c5825fa813462ae207d17072c035f916742517edc42349a72ab6795199d34ccece259d5f2f63587cfaeb0026c0667632b05c5c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41802\_asyncio.pyd

Filesize
59KB

MD5
6c2a86342ade2fac9454b83a49d17694

SHA1
52946875ad946e4a170072f38e28e10f6037fab9

SHA256
cf0edfd508d11bffb63d1b104b6099e0f14ea0fada762f88364e7163f2185f06

SHA512
48d8eb8d20d041df37c4a6f243056607754046ed5f497260751270b42e9eea6f22fb1fb62d015e841d0263534f50bf6c812a6ade0e8bb0a0f79226bc64d05c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41802\_brotli.cp310-win_amd64.pyd

Filesize
861KB

MD5
6d44fd95c62c6415999ebc01af40574b

SHA1
a5aee5e107d883d1490257c9702913c12b49b22a

SHA256
58bacb135729a70102356c2d110651f1735bf40a602858941e13bdeabfacab4a

SHA512
59b6c07079f979ad4a27ec394eab3fdd2d2d15d106544246fe38f4eb1c9e12672f11d4a8efb5a2a508690ce2677edfac85eb793e2f6a5f8781b258c421119ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41802\_bz2.pyd

Filesize
78KB

MD5
b45e82a398713163216984f2feba88f6

SHA1
eaaf4b91db6f67d7c57c2711f4e968ce0fe5d839

SHA256
4c2649dc69a8874b91646723aacb84c565efeaa4277c46392055bca9a10497a8

SHA512
b9c4f22dc4b52815c407ab94d18a7f2e1e4f2250aecdb2e75119150e69b006ed69f3000622ec63eabcf0886b7f56ffdb154e0bf57d8f7f45c3b1dd5c18b84ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41802\_cffi_backend.cp310-win_amd64.pyd

Filesize
177KB

MD5
6f1b90884343f717c5dc14f94ef5acea

SHA1
cca1a4dcf7a32bf698e75d58c5f130fb3572e423

SHA256
2093e7e4f5359b38f0819bdef8314fda332a1427f22e09afc416e1edd5910fe1

SHA512
e2c673b75162d3432bab497bad3f5f15a9571910d25f1dffb655755c74457ac78e5311bd5b38d29a91aec4d3ef883ae5c062b9a3255b5800145eb997863a7d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41802\_ctypes.pyd

Filesize
117KB

MD5
79f339753dc8954b8eb45fe70910937e

SHA1
3ad1bf9872dc779f32795988eb85c81fe47b3dd4

SHA256
35cdd122679041ebef264de5626b7805f3f66c8ae6cc451b8bc520be647fa007

SHA512
21e567e813180ed0480c4b21be3e2e67974d8d787e663275be054cee0a3f5161fc39034704dbd25f1412feb021d6a21b300a32d1747dee072820be81b9d9b753

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41802\_hashlib.pyd

Filesize
57KB

MD5
cfb9e0a73a6c9d6d35c2594e52e15234

SHA1
b86042c96f2ce6d8a239b7d426f298a23df8b3b9

SHA256
50daeb3985302a8d85ce8167b0bf08b9da43e7d51ceae50e8e1cdfb0edf218c6

SHA512
22a5fd139d88c0eee7241c5597d8dbbf2b78841565d0ed0df62383ab50fde04b13a203bddef03530f8609f5117869ed06894a572f7655224285823385d7492d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41802\_lzma.pyd

Filesize
149KB

MD5
5a77a1e70e054431236adb9e46f40582

SHA1
be4a8d1618d3ad11cfdb6a366625b37c27f4611a

SHA256
f125a885c10e1be4b12d988d6c19128890e7add75baa935fe1354721aa2dea3e

SHA512
3c14297a1400a93d1a01c7f8b4463bfd6be062ec08daaf5eb7fcbcde7f4fa40ae06e016ff0de16cb03b987c263876f2f437705adc66244d3ee58f23d6bf7f635

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41802\_overlapped.pyd

Filesize
44KB

MD5
5bfe7d9e1877fdde718bb84b67d8be68

SHA1
ebc7389ccca80d92d7b891815843e4c7d066cd51

SHA256
fe5666c1c8215cd2773744c815fb4a3b2f52f64cf0dde25d458441da22bf5568

SHA512
9fbf4c77784677957b8ade962cc0730ef6cfa865c14c712fd2a978903596a92e359a5234095b2a23d9e4daf7abb4029cd855b91cba696fde448668ccf4a1efea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41802\_socket.pyd

Filesize
72KB

MD5
5dd51579fa9b6a06336854889562bec0

SHA1
99c0ed0a15ed450279b01d95b75c162628c9be1d

SHA256
3669e56e99ae3a944fbe7845f0be05aea96a603717e883d56a27dc356f8c2f2c

SHA512
7aa6c6587890ae8c3f9a5e97ebde689243ac5b9abb9b1e887f29c53eef99a53e4b4ec100c03e1c043e2f0d330e7af444c3ca886c9a5e338c2ea42aaacae09f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41802\_ssl.pyd

Filesize
152KB

MD5
11c5008e0ba2caa8adf7452f0aaafd1e

SHA1
764b33b749e3da9e716b8a853b63b2f7711fcc7c

SHA256
bf63f44951f14c9d0c890415d013276498d6d59e53811bbe2fa16825710bea14

SHA512
fceb022d8694bce6504d6b64de4596e2b8252fc2427ee66300e37bcff297579cc7d32a8cb8f847408eaa716cb053e20d53e93fbd945e3f60d58214e6a969c9dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41802\_uuid.pyd

Filesize
20KB

MD5
aeead50876ddb63cb8e882989041d7da

SHA1
c9bf23227ced84d39bd33665444de3e9064315c6

SHA256
c74aaeec487457139b47c0ab56e01922bfae6debef562800e5b9b6baf1ec9d6a

SHA512
74c8fe6cfd67e1984a2df9bd998ae363519de16b5840cabba01660154fbeac92e2c773ecc2884d531362e8a0b739673c44f450c1bea05ca33eef58a8e61bc2ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41802\base_library.zip

Filesize
811KB

MD5
a2b54e22cede875dd5b980ad7c35a353

SHA1
fff02d92e15135d2d27f9aedfe8d563df7eb4929

SHA256
3ee15bebac18ce8efc34b3cafd46391940f0241513fa641f45e1df196fd0e5a5

SHA512
e8d7fab18e22adb7afdf1250a0c550124ad76ba2d3b05d6706809318cc8e031bec036494d973150a626852713834ff18a190024d223211ea7c29662465126cb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41802\libcrypto-1_1.dll

Filesize
3.3MB

MD5
63c4f445b6998e63a1414f5765c18217

SHA1
8c1ac1b4290b122e62f706f7434517077974f40e

SHA256
664c3e52f914e351bb8a66ce2465ee0d40acab1d2a6b3167ae6acf6f1d1724d2

SHA512
aa7bdb3c5bc8aeefbad70d785f2468acbb88ef6e6cac175da765647030734453a2836f9658dc7ce33f6fff0de85cb701c825ef5c04018d79fa1953c8ef946afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41802\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41802\libssl-1_1.dll

Filesize
678KB

MD5
bd857f444ebbf147a8fcd1215efe79fc

SHA1
1550e0d241c27f41c63f197b1bd669591a20c15b

SHA256
b7c0e42c1a60a2a062b899c8d4ebd0c50ef956177ba21785ce07c517c143aeaf

SHA512
2b85c1521edeadf7e118610d6546fafbbad43c288a7f0f9d38d97c4423a541dfac686634cde956812916830fbb4aad8351a23d95cd490c4a5c0f628244d30f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41802\multidict\_multidict.cp310-win_amd64.pyd

Filesize
45KB

MD5
1b59c87f0871fed4ff2be93c5d9234ab

SHA1
7e5c8827a5b2dec5417800ab0a2001af46ab8924

SHA256
b7151a6ffa3dc7436d09b1e35343801e11f423c6b391f1177254236ec47a3ad7

SHA512
6092628a4c73ca2d29b6f6a0d1ed34627795363c89b2a45bfc75951f8148a288707231575183ef73d4fb24c022883ab3ab30da61c92664295fffd8a36e9200df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41802\nacl\_sodium.pyd

Filesize
340KB

MD5
9d1b8bad0e17e63b9d8e441cdc15baee

SHA1
0c5a62135b072d1951a9d6806b9eff7aa9c897a3

SHA256
d733c23c6a4b21625a4ff07f6562ba882bcbdb0f50826269419d8de0574f88cd

SHA512
49e7f6ab825d5047421641ed4618ff6cb2a8d22a8a4ae1bd8f2deefe7987d80c8e0acc72b950d02214f7b41dc4a42df73a7f5742ebc96670d1c5a28c47b97355

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41802\psutil\_psutil_windows.cp310-win_amd64.pyd

Filesize
64KB

MD5
7c46d46a2ffdf05793e83c9fabf472ff

SHA1
27d38da2cfd0b8fb35671d7fa3739d7446d0ac09

SHA256
a47da972f8440f6713328c5d9e5d805a0fb5d6325e45ed921f0f86c1ca662b59

SHA512
2ff79a51991cf5a6efbaf6135096c53b3614d1d772852892745c3e44f871caf52c374e4fd8d794c3f04c0a54dd77d1a0acf10cb9c43875409d9598980e79aff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41802\python3.dll

Filesize
60KB

MD5
a5471f05fd616b0f8e582211ea470a15

SHA1
cb5f8bf048dc4fc58f80bdfd2e04570dbef4730e

SHA256
8d5e09791b8b251676e16bdd66a7118d88b10b66ad80a87d5897fadbefb91790

SHA512
e87d06778201615b129dcf4e8b4059399128276eb87102b5c3a64b6e92714f6b0d5bde5df4413cc1b66d33a77d7a3912eaa1035f73565dbfd62280d09d46abff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41802\python310.dll

Filesize
4.2MB

MD5
384349987b60775d6fc3a6d202c3e1bd

SHA1
701cb80c55f859ad4a31c53aa744a00d61e467e5

SHA256
f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

SHA512
6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41802\select.pyd

Filesize
25KB

MD5
78d421a4e6b06b5561c45b9a5c6f86b1

SHA1
c70747d3f2d26a92a0fe0b353f1d1d01693929ac

SHA256
f1694ce82da997faa89a9d22d469bfc94abb0f2063a69ec9b953bc085c2cb823

SHA512
83e02963c9726a40cd4608b69b4cdf697e41c9eedfb2d48f3c02c91500e212e7e0ab03e6b3f70f42e16e734e572593f27b016b901c8aa75f674b6e0fbb735012

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41802\unicodedata.pyd

Filesize
1.1MB

MD5
a40ff441b1b612b3b9f30f28fa3c680d

SHA1
42a309992bdbb68004e2b6b60b450e964276a8fc

SHA256
9b22d93f4db077a70a1d85ffc503980903f1a88e262068dd79c6190ec7a31b08

SHA512
5f9142b16ed7ffc0e5b17d6a4257d7249a21061fe5e928d3cde75265c2b87b723b2e7bd3109c30d2c8f83913134445e8672c98c187073368c244a476ac46c3ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41802\yarl\_quoting_c.cp310-win_amd64.pyd

Filesize
78KB

MD5
7e620bd4ba53daae5df632f2774b9788

SHA1
28ec3b998f376b59483ad4391a0c2df2c634f308

SHA256
84c696ed1b5ba6a3819d73b6f27aee93bca72286b32307fe259e23dfc1cfacec

SHA512
e2d012dd9a7959c0e06340de3728d6e800b56cc0bc8d525c38dd49d9874095d2edc3ae06862d1a21e873c0da0678e8ab3bc95a57777d746f0d6d8b0c6c08c202

Download Submit