44caliber | hxxps://disk[.]yandex[.]ru/d/Tf0EJKzaNJx0sQ

Resubmissions

09-04-2023 16:27

230409-tx7c3sdf7t 1

09-04-2023 16:23

230409-tv84wsdf6z 10

Analysis

max time kernel
187s
max time network
187s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2023 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://disk.yandex.ru/d/Tf0EJKzaNJx0sQ

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discordapp.com/api/webhooks/1094353602480451655/iwXRe5GczCwBpNJy71UEaTWEPehskOT4c6LbuhNojAGvyX9mB0ftCXsTMjEdVh2ZaYw5

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

273 freegeoip.app
274 freegeoip.app

flow	ioc
273	freegeoip.app
274	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

neVer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	neVer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	neVer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133255382569422449"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings chrome.exe
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

chrome.exeneVer.exechrome.exe

pid process

2428 chrome.exe
2428 chrome.exe
5764 neVer.exe
5764 neVer.exe
5764 neVer.exe
5764 neVer.exe
5764 neVer.exe
2052 chrome.exe
2052 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

chrome.exe

pid process

2428 chrome.exe
2428 chrome.exe
2428 chrome.exe
2428 chrome.exe
2428 chrome.exe
2428 chrome.exe
2428 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

chrome.exe

pid	process
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

chrome.exe

pid	process
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2428 wrote to memory of 2020	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 2020	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 3060	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 2340	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 2340	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 412	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 412	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 412	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 412	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 412	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 412	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 412	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 412	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 412	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 412	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 412	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 412	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 412	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 412	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 412	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 412	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 412	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 412	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 412	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 412	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 412	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 412	2428	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://disk.yandex.ru/d/Tf0EJKzaNJx0sQ
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffeb17e9758,0x7ffeb17e9768,0x7ffeb17e9778
  2⤵
  PID:2020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 --field-trial-handle=1864,i,11427631870953420417,2608223280161665069,131072 /prefetch:2
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1864,i,11427631870953420417,2608223280161665069,131072 /prefetch:8
  2⤵
  PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1864,i,11427631870953420417,2608223280161665069,131072 /prefetch:8
  2⤵
  PID:412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3100 --field-trial-handle=1864,i,11427631870953420417,2608223280161665069,131072 /prefetch:1
  2⤵
  PID:2116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3104 --field-trial-handle=1864,i,11427631870953420417,2608223280161665069,131072 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4620 --field-trial-handle=1864,i,11427631870953420417,2608223280161665069,131072 /prefetch:1
  2⤵
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=5624 --field-trial-handle=1864,i,11427631870953420417,2608223280161665069,131072 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 --field-trial-handle=1864,i,11427631870953420417,2608223280161665069,131072 /prefetch:8
  2⤵
  PID:3176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5852 --field-trial-handle=1864,i,11427631870953420417,2608223280161665069,131072 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6192 --field-trial-handle=1864,i,11427631870953420417,2608223280161665069,131072 /prefetch:8
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6328 --field-trial-handle=1864,i,11427631870953420417,2608223280161665069,131072 /prefetch:8
  2⤵
  PID:3108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4616 --field-trial-handle=1864,i,11427631870953420417,2608223280161665069,131072 /prefetch:1
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6244 --field-trial-handle=1864,i,11427631870953420417,2608223280161665069,131072 /prefetch:8
  2⤵
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5636 --field-trial-handle=1864,i,11427631870953420417,2608223280161665069,131072 /prefetch:1
  2⤵
  PID:1232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6720 --field-trial-handle=1864,i,11427631870953420417,2608223280161665069,131072 /prefetch:8
  2⤵
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4628 --field-trial-handle=1864,i,11427631870953420417,2608223280161665069,131072 /prefetch:8
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2784 --field-trial-handle=1864,i,11427631870953420417,2608223280161665069,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2052

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4020

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4180

C:\Users\Admin\Desktop\neVer.exe
"C:\Users\Admin\Desktop\neVer.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
893B

MD5
d4ae187b4574036c2d76b6df8a8c1a30

SHA1
b06f409fa14bab33cbaf4a37811b8740b624d9e5

SHA256
a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7

SHA512
1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
328B

MD5
f64a072d635b7034bfb5780e0e4cc3e7

SHA1
5c7e29557dc54dbd3bd4d6178ed57c7c875c2a2c

SHA256
39bdfce3586c9addaaa9e7f5ddcea90b45f4e2ce726da0b64c70e3ed9e5bc339

SHA512
229f449e8e1aa9175627f6a4d22a9c22ef24426f603ee33b02b6c7a2127c32a7f7206fc550400ac11a1de33176570d3428a0f508d38c67091e43a98fcfd6ad0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
252B

MD5
a6a08ca29c4db89b4a33e82ca5482b9c

SHA1
33abcbaeacbbff6131f824125fb934903eabbd5c

SHA256
ec991acfc712ef3c1715c09df3e184082e73d3cdc14a86928c9facfe265f9e3f

SHA512
2a32b8ab86befd09bde7898cc719a77e69deef3e2ede8bf573f1f8856f0041efcbb69d9dfc56dc7ea1743ecc7a6b357eda21e530ff639bdeaed837da4559e41c

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
1KB

MD5
61e10c7cfe2bed7e214a472236f608af

SHA1
b5619f300de067cce87c8fd5de315555034286d7

SHA256
9dbca2d73be3a04b89cd3821aedf26b460f82b2cd709a980b30691d55c4a558c

SHA512
4ea4e06f7ffea865760180d6d867ebc2256e1ee96c36f3cd6b614d1549b17982d3fb71ab1fb98cd9b46a02640a8753cad26d739e265584eb174fe8902e52bdf9

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
1KB

MD5
c65e55ced1c31aa13a5d94eeaf957182

SHA1
7050399be1d853258dc0d4250d950c27f2f9bb73

SHA256
31603e7d901a1e99a66b7001395f4340967165a3b8e24693af6a6b7093d7caca

SHA512
10a8287a860ffb7587c8d05d22427c0962d2ef59aeeea9364b75bbe5eb9ccbf97d25a294a939b8917f09155055b37c109378ff9016843b77abf77aa47281a869

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
1KB

MD5
c65e55ced1c31aa13a5d94eeaf957182

SHA1
7050399be1d853258dc0d4250d950c27f2f9bb73

SHA256
31603e7d901a1e99a66b7001395f4340967165a3b8e24693af6a6b7093d7caca

SHA512
10a8287a860ffb7587c8d05d22427c0962d2ef59aeeea9364b75bbe5eb9ccbf97d25a294a939b8917f09155055b37c109378ff9016843b77abf77aa47281a869

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001f

Filesize
162KB

MD5
fdfdaf63d56b4a9cd6641d79f7159fdc

SHA1
18b413d8b6b9f3bec32026b7e9d9f4e5e366922f

SHA256
f4dba3e15f08cf0686e6d89370ed42e8a5dafc38973501f0aa6baa9b93c720f3

SHA512
06fd67f1a2d5f168c75b5b833d3222d6c0eccfadd4021173a7ec7f949971554d1c7df322b1dc512ef14941e76a9ff6445ba3bd16d940be5bc177be989ec39c2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000022

Filesize
57KB

MD5
f5ba8161395cfd5a23df81701d6457a8

SHA1
b0d9c88f802bdb1cd4ad8c9dc8e7a19a49920ec6

SHA256
e4d10e9b827a6ae6194a99796e3999b12b6f0fd41f817d60e68c26f35e513bf5

SHA512
209394e32355d82b75cef2abe681d7125caa91681391a1f5709917fff47c7286b4d7d557070bbf8c21245c992185a037f07b436365a45618c3b28ab7cd97eb7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
960B

MD5
cd18473789e7d4e060f13198848d7751

SHA1
acee545bf07c6aeebed87a7c19a6793239aa43e3

SHA256
a1fcf82b09073eb9c82b09adbc64381a974125a1fdc210b14aabc7ce3df3eb84

SHA512
151e4dd97ce268c4a51e9f462b00ac26df83d70c5ce798b5ea8b6d3d6fb17625272e71416115ff2d4d5ac554b1391c895ae23ec2c7e7acf8fae0c4db44212fb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
eab89d328349f665dcb2e8002b7f7884

SHA1
49f5d4d5702d96ff9aa28257037b3341cea81e05

SHA256
f92e584f0bad377c2b8706113e7c107bec0615f231291c2f9106353b8b1c422e

SHA512
350622c038690865cfad3d0f37eb0771a87fcc7a4252e6335d854e02d554f1f4ed87ddb8266311bb22babc016ae8615bafdaf1962f4a95828e9d4dcd7289fb31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
a7c01ae1deaa5fdbd27d1248227eb530

SHA1
0f88aa84153215bb79e0db07f6d0752df64cd618

SHA256
4d6741d18722b4f06c6d638eaa72a710872beed265b9f854e9b25a6f850b6c89

SHA512
43b6dd041824e26b21803200ba031f0d1dbc3c80e86dfb4dfdb9c648c89078686b186fec6cf111bc368c9d8a62ebf59fa6fa7951126096922a045267b9360aae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
7f6b54c860dd03e2b53748b86800b725

SHA1
5407383536d67d29dde24c5f7b52ab5eaefbe1ea

SHA256
26cf70f29962bdcd44f51f075fd7f9324aacf202a106c9163b59b866ad28690a

SHA512
23c5e1d0e839ce96dc7aae0e783e2ff7f6b62848cff3bb680eedc969b4e8697611e81ec8b4f0af3c1b5bfd62d7be166987e47e7cea5d3b4d406aef2a8d22fcff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
722d3e2794e05377e98fc460a858e609

SHA1
5c4b6ee6ca904cf37a67b80d8ae6e23632c06495

SHA256
827207310436c39ee7654effeea07419cfe832ece5a744310d84cc76816f1984

SHA512
84db9f47ed5cd019e7a865414945b66512c917b1ab7ac7c1b82232fdb44ea3e25fe0b2a14a8b24f27539e5fdca6bdc10606d7a8fe386851b9bfd1c3e7858d2aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a23966e6abc97118b3d4854f93da3e95

SHA1
632bbaf74465b47391a0cf7a18ef358e8bc413b4

SHA256
8c82d78e96cc85d68d3463391ce793a3f36d85205b28f9633c4e01465461aae6

SHA512
5482f8ddf6e3e8c4728d7a253615469a665070e41ec625155168d1c0fdf6e222258dc554cbda811dd808dff2c5657619081bdb8ccaa40c350f1520da90358a9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3beca0ad62491f125a26c0e91331d0d9

SHA1
c6383adc8d4ca86d580b1edbc254ef00d1ea2629

SHA256
114441f72be1a779f07056aa5259c93ea2e9bda6c625cde711d0df804a306b27

SHA512
a314cf9b5b7afce4cd3870c4114182a1830e53fef0643dad39d87b907392e3b19046c817809d169b3f5af30914b1fd61db37bb59aec08cf8e3b46d06c5dc4c9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
89158382027759720a8ec5a3214a05d5

SHA1
142a08ade8d7b529899d3bee813b976e33879ff7

SHA256
7ffc3d1cabb34d77e03bcc6513c991020d6c15359fb7eff64401dbbb65b3d69b

SHA512
ebc41ebc6853ab136dce2cb098ee2bf0a461168fdc0b0d674fa6e0a428452d59c9c8a8e0746a0ffc88065431e4359cb392868fe3a218f96638f836f5b08ca294

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
03fb33716bd4f077d686bf299b234e65

SHA1
c8ef7b83596cae138b5fcdf0a4b9e88bb6f9c0d0

SHA256
adce90acaa84056af16213b2a8e584105b2a69d3521ce1f8781e7a2c7b638e2f

SHA512
82756093407ace9220f4e4088fa381d89ab03bd306893a7bd84d925fe9aab5c6ca50cada0004f608944ef1a760c6675013779cda82a7a01e920f396d09e24350

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
7c4e56b8d1c1490ff585913585bc9d06

SHA1
bb27e7f13684a66eca9563d589df2f581e8a5da9

SHA256
5b99aad5a74d9b2d7ac9e82e4548b9727935121a4244ff4e0a99d6dc2e5ef346

SHA512
015250cedb4b57dbadf9e6f823b463ffa4638cf2d585820ae4e6aade95a0591304626d7baa0ab56855af1751de0c8ee265a7ffcc736dc534cc2bf74b06a6f77b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
df9a905fce5e4de0b955fca3614d8a73

SHA1
ccb96cf41c5da5108790ecb3fb74ec357ad71adb

SHA256
916e0491a32fe5ec532ce732a6c9304ebd83aebe5773450a2894fea9a9373ded

SHA512
b231784df689cf16e0902289e54078b1db30deb580028b8ce197617ad0041f8e822d3d34b8c04766f4bd36188edb8f1e7d873192e7c1f3edab416592c2de5299

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
28cb7d97cb6016e5825a83cc74b2aab4

SHA1
710fe61f8e118aee09961f6a2a80e3387dd18602

SHA256
b9edcde5519a2f64edae1123e9a0ee0143668c10faff78109d9f6cd1a0225654

SHA512
bc762b9918e016f6e48dfbaa0373bdda22266b7d29543c62540d922f75a5d32262c6a634fa301bd71ba2a1b594b06cc3ad7f35d0c5735027966524efa4ac9f1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5759e7.TMP

Filesize
48B

MD5
b1ece5f17881667f069481e529fffac6

SHA1
d6dfa934b5a98f1139b399ef49f5086080933e80

SHA256
a1a55e0c6d51e3b5bacebcbe350262062d9a82d67fc6436cc6fa5b68fc032821

SHA512
ca34a676c812e7064fe47b0a3c205c983c50c9e3e988f82339b522dbc6f004cd84bd208af78a88c1ec2a7bd0137f83f6349f4e8b53b72c7c9929427669ef6bed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

Filesize
92KB

MD5
71cf5cc7889c092f9bca35ee0b052c5f

SHA1
2ac3411de3960ee73a8ac4f3fe5dc866f25e5aab

SHA256
1fb4460362ecd4988f292a173cbb75d1a72fe02e54afe53cbd1a0003900464f0

SHA512
0bce7a19d6e9cbfbc923cf2a11eabf32ec551dc81badd2ce93f310d611319d7cd8e799c89e31f2c8c598944648af363aee3f8200f73f15b2fd9347010f3a29f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
200KB

MD5
cd6df32e639e1ce58989612865062b75

SHA1
6f81f0c934b678ff331c2c68917388056c670b0e

SHA256
00c3bf1204fafd56f07482e17058ca913b37631f494b2420369fcb8e56321bc0

SHA512
0c3c7c62912f5b4b4a6107ba553de808a7404a68ff4be33e3ce7fbc5a08638103038742f2b75bebcc7db10a69eb9010754b7911b1ff85de9193955f13a3fe975

Download Submit
C:\Users\Admin\Downloads\crack.zip.crdownload

Filesize
123KB

MD5
197eb056dde839304944e7e1f7f2255b

SHA1
d457b67a1a80ed77ffff4e5a72d66cf48365de5a

SHA256
07d8c462f8f500c38f170c607d7351189839e46a139d4a8e0821f5b271f03b0c

SHA512
7684cf1a6073fac2c40ca66c7f4c84952b0c610be121be528148667b09fa9e300e0d6c250268f55c75a5b5d64b626ba1d13087bc9ad1cb95fcefb61589d2741a

Download Submit
\??\pipe\crashpad_2428_QXVJPNVWESWAFNPT

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5764-499-0x000002AFC5980000-0x000002AFC5990000-memory.dmp

Filesize
64KB

Download
memory/5764-482-0x000002AFAB4B0000-0x000002AFAB53C000-memory.dmp

Filesize
560KB

Download