44caliber | hxxps://gofile[.]io/d/gkVFps

Resubmissions

07-01-2025 20:44

250107-zjad3szlgk 10

06-01-2025 20:27

250106-y8tnksypbl 10

Analysis

max time kernel
74s
max time network
71s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
07-01-2025 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/gkVFps

Score

10^/10

44caliber discovery spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1325922835482415166/Cr4KtH1YWjjiaWILdynZibwz-mPmcv61jGtmXXHtOTGTk9kNjaqy-i2fJBwwylldasRV

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
44Caliber family
44caliber

Executes dropped EXE 8 IoCs

pid	Process
4860	Insidious.exe
4952	Insidious.exe
4252	Insidious.exe
2780	Insidious.exe
4208	Insidious.exe
3552	Insidious.exe
1884	Insidious.exe
2028	Insidious.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 9 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	freegeoip.app
21	freegeoip.app
24	freegeoip.app
2	freegeoip.app
16	freegeoip.app
17	freegeoip.app
20	freegeoip.app
22	freegeoip.app
23	freegeoip.app

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133807562764688154"	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\net40.rar:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
2232	chrome.exe
2232	chrome.exe
4860	Insidious.exe
4860	Insidious.exe
4860	Insidious.exe
4952	Insidious.exe
4952	Insidious.exe
4952	Insidious.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
4252	Insidious.exe
4252	Insidious.exe
4252	Insidious.exe
2652	taskmgr.exe
2652	taskmgr.exe
2780	Insidious.exe
2780	Insidious.exe
2780	Insidious.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
4208	Insidious.exe
4208	Insidious.exe
4208	Insidious.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
3552	Insidious.exe
3552	Insidious.exe
3552	Insidious.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
1884	Insidious.exe
1884	Insidious.exe
1884	Insidious.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2028	Insidious.exe
2028	Insidious.exe
2028	Insidious.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeRestorePrivilege	4572	7zG.exe
Token: 35	4572	7zG.exe
Token: SeSecurityPrivilege	4572	7zG.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeSecurityPrivilege	4572	7zG.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeDebugPrivilege	4860	Insidious.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeCreatePagefilePrivilege	2232	chrome.exe
Token: SeDebugPrivilege	4952	Insidious.exe
Token: SeDebugPrivilege	2652	taskmgr.exe
Token: SeSystemProfilePrivilege	2652	taskmgr.exe
Token: SeCreateGlobalPrivilege	2652	taskmgr.exe
Token: SeDebugPrivilege	4252	Insidious.exe
Token: SeDebugPrivilege	2780	Insidious.exe
Token: SeDebugPrivilege	4208	Insidious.exe
Token: SeDebugPrivilege	3552	Insidious.exe
Token: SeDebugPrivilege	1884	Insidious.exe
Token: SeDebugPrivilege	2028	Insidious.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
4572	7zG.exe
2232	chrome.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe

Suspicious use of SendNotifyMessage 55 IoCs

pid	Process
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe
2652	taskmgr.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
4796	OpenWith.exe
4796	OpenWith.exe
4796	OpenWith.exe
4796	OpenWith.exe
4796	OpenWith.exe
4796	OpenWith.exe
4796	OpenWith.exe
4796	OpenWith.exe
4796	OpenWith.exe
4796	OpenWith.exe
4796	OpenWith.exe
4796	OpenWith.exe
4796	OpenWith.exe
4236	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2548	2232	chrome.exe	77
PID 2232 wrote to memory of 2548	2232	chrome.exe	77
PID 2232 wrote to memory of 4080	2232	chrome.exe	78
PID 2232 wrote to memory of 4080	2232	chrome.exe	78
PID 2232 wrote to memory of 4080	2232	chrome.exe	78
PID 2232 wrote to memory of 4080	2232	chrome.exe	78
PID 2232 wrote to memory of 4080	2232	chrome.exe	78
PID 2232 wrote to memory of 4080	2232	chrome.exe	78
PID 2232 wrote to memory of 4080	2232	chrome.exe	78
PID 2232 wrote to memory of 4080	2232	chrome.exe	78
PID 2232 wrote to memory of 4080	2232	chrome.exe	78
PID 2232 wrote to memory of 4080	2232	chrome.exe	78
PID 2232 wrote to memory of 4080	2232	chrome.exe	78
PID 2232 wrote to memory of 4080	2232	chrome.exe	78
PID 2232 wrote to memory of 4080	2232	chrome.exe	78
PID 2232 wrote to memory of 4080	2232	chrome.exe	78
PID 2232 wrote to memory of 4080	2232	chrome.exe	78
PID 2232 wrote to memory of 4080	2232	chrome.exe	78
PID 2232 wrote to memory of 4080	2232	chrome.exe	78
PID 2232 wrote to memory of 4080	2232	chrome.exe	78
PID 2232 wrote to memory of 4080	2232	chrome.exe	78
PID 2232 wrote to memory of 4080	2232	chrome.exe	78
PID 2232 wrote to memory of 4080	2232	chrome.exe	78
PID 2232 wrote to memory of 4080	2232	chrome.exe	78
PID 2232 wrote to memory of 4080	2232	chrome.exe	78
PID 2232 wrote to memory of 4080	2232	chrome.exe	78
PID 2232 wrote to memory of 4080	2232	chrome.exe	78
PID 2232 wrote to memory of 4080	2232	chrome.exe	78
PID 2232 wrote to memory of 4080	2232	chrome.exe	78
PID 2232 wrote to memory of 4080	2232	chrome.exe	78
PID 2232 wrote to memory of 4080	2232	chrome.exe	78
PID 2232 wrote to memory of 4080	2232	chrome.exe	78
PID 2232 wrote to memory of 3956	2232	chrome.exe	79
PID 2232 wrote to memory of 3956	2232	chrome.exe	79
PID 2232 wrote to memory of 2448	2232	chrome.exe	80
PID 2232 wrote to memory of 2448	2232	chrome.exe	80
PID 2232 wrote to memory of 2448	2232	chrome.exe	80
PID 2232 wrote to memory of 2448	2232	chrome.exe	80
PID 2232 wrote to memory of 2448	2232	chrome.exe	80
PID 2232 wrote to memory of 2448	2232	chrome.exe	80
PID 2232 wrote to memory of 2448	2232	chrome.exe	80
PID 2232 wrote to memory of 2448	2232	chrome.exe	80
PID 2232 wrote to memory of 2448	2232	chrome.exe	80
PID 2232 wrote to memory of 2448	2232	chrome.exe	80
PID 2232 wrote to memory of 2448	2232	chrome.exe	80
PID 2232 wrote to memory of 2448	2232	chrome.exe	80
PID 2232 wrote to memory of 2448	2232	chrome.exe	80
PID 2232 wrote to memory of 2448	2232	chrome.exe	80
PID 2232 wrote to memory of 2448	2232	chrome.exe	80
PID 2232 wrote to memory of 2448	2232	chrome.exe	80
PID 2232 wrote to memory of 2448	2232	chrome.exe	80
PID 2232 wrote to memory of 2448	2232	chrome.exe	80
PID 2232 wrote to memory of 2448	2232	chrome.exe	80
PID 2232 wrote to memory of 2448	2232	chrome.exe	80
PID 2232 wrote to memory of 2448	2232	chrome.exe	80
PID 2232 wrote to memory of 2448	2232	chrome.exe	80
PID 2232 wrote to memory of 2448	2232	chrome.exe	80
PID 2232 wrote to memory of 2448	2232	chrome.exe	80
PID 2232 wrote to memory of 2448	2232	chrome.exe	80
PID 2232 wrote to memory of 2448	2232	chrome.exe	80
PID 2232 wrote to memory of 2448	2232	chrome.exe	80
PID 2232 wrote to memory of 2448	2232	chrome.exe	80
PID 2232 wrote to memory of 2448	2232	chrome.exe	80
PID 2232 wrote to memory of 2448	2232	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/gkVFps
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdd9aecc40,0x7ffdd9aecc4c,0x7ffdd9aecc58
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1808,i,4389078031780990838,16098084502507113357,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1804 /prefetch:2
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2032,i,4389078031780990838,16098084502507113357,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  PID:3956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2168,i,4389078031780990838,16098084502507113357,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2392 /prefetch:8
  2⤵
  PID:2448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,4389078031780990838,16098084502507113357,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3104 /prefetch:1
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3084,i,4389078031780990838,16098084502507113357,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4100,i,4389078031780990838,16098084502507113357,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4404 /prefetch:1
  2⤵
  PID:3744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4576,i,4389078031780990838,16098084502507113357,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4564 /prefetch:8
  2⤵
  PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4632,i,4389078031780990838,16098084502507113357,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4564 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4444,i,4389078031780990838,16098084502507113357,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4960 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2092

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3008

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2392

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\net40\" -ad -an -ai#7zMap11796:72:7zEvent22271
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4572

C:\Users\Admin\Downloads\net40\Insidious.exe
"C:\Users\Admin\Downloads\net40\Insidious.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4796

C:\Users\Admin\Downloads\net40\Insidious.exe
"C:\Users\Admin\Downloads\net40\Insidious.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4952

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2652

C:\Users\Admin\Downloads\net40\Insidious.exe
"C:\Users\Admin\Downloads\net40\Insidious.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4252

C:\Users\Admin\Downloads\net40\Insidious.exe
"C:\Users\Admin\Downloads\net40\Insidious.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Users\Admin\Downloads\net40\Insidious.exe
"C:\Users\Admin\Downloads\net40\Insidious.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Users\Admin\Downloads\net40\Insidious.exe
"C:\Users\Admin\Downloads\net40\Insidious.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3552

C:\Users\Admin\Downloads\net40\Insidious.exe
"C:\Users\Admin\Downloads\net40\Insidious.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Users\Admin\Downloads\net40\Insidious.exe
"C:\Users\Admin\Downloads\net40\Insidious.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
0225c53cc9689e6beaeab8c3ba65bf70

SHA1
709a7b07aabb531c71e3e93f978974bc92d9c673

SHA256
52e2db46797bab8746020bdc04961c94d11ca83e55aea4e6e54aeb6ad54acf88

SHA512
b27dc18948ecde6e139b991ff767188a6fe65a1f823879f8a58c67bdfdbfd179bd7ef02e05db738d1138b9c10b8a047622d5f62f27550f8b1117855203e1f239

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
5411917be9b9a41a7b94be7dcdb25896

SHA1
876bc857f40e5454ca7d5cf268445b4e0a99c724

SHA256
9de647f30d294a9aafd22d1f9d21d01e8a31d5d0ee89bfc31c5b681ed37557da

SHA512
81229d0c3b9079894de0da5eec2b64d574f784ed2b3b16fc85d763f56a8f4aab9538e154252f691458ab0b1645327a5ff0358a1e96ef7ec7152c13ca3980677c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
2bd9c931eaeffcda6a363a436769e446

SHA1
fa5ba2365c3c24e6e9b141dfa52c01d9326317ed

SHA256
c831e511822381e83a3bbe2e51028a26ed8a4680f1cdd764ace0a2a6dbfb6911

SHA512
31cb4c9057211ccbbea550fd607890746ecfea60eb5bf7a73a0d989ff5bc8595cfdeed195a7499e18fc30cbe1a70b5ba61ae600bc55dee912f2a0b34c1d2b630

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
2944de79e4a6a395905d2332085128ea

SHA1
6baecb50df6abc21eb5c0e6c0179a9a1fd94f6be

SHA256
8d188be47a2c2a0ced53bfe6333b616e31130c81bf918bf3d41708ec7a9bbcc2

SHA512
4eda3d76a633338908e3f7eb84640a7b5e6f58e1ebf2d00451b4755133e4deb040d03025586886cc86355837c58c46c892f61e36007a11c9488d72a3305c5056

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2a8fac0812ee96534b68f08150f1f6ea

SHA1
e2a28b6d3ca5d20c7ad34bb461dd6f53c6cc45b9

SHA256
b63e10d3b29f64a393beb2c66b452bbeca90ed8f7a7adab3036961e3cdd9e380

SHA512
b2b32d4922565d32b47182e2257b1582525e657ea5d237d4e4e2bc16b063b1c83ee823ae3e4740f1eeb27eedf6b7deec1e7793ee621f9d6c4cdc08997c0c042f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
399f1cdb4f25999041d370ddba6c4c41

SHA1
1a9dc05e9c15baf67a676e7eec20ca0b4a8ddedc

SHA256
95e410e2babb75fce5ecbd743c28ea095c2ce6a72484ba881ff10338fcdfcc20

SHA512
e40c2df7a04b0737b452284ba83f061fd61df3a8c9521fad77f490664e20fcc4e92d9b85093a7db59de096d1498f126dcc1163c91fea313f13f0f607054b3af4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
24d91033f5c1a8d8242ec28bc5e7425f

SHA1
9771eaf5bb0338405ae2c7bacf4cfc8e716ec3f8

SHA256
042b0ee4c40909395aca2a23339d1f9f81492e8a98e14d58beaea953d7fbf1eb

SHA512
e41363191f9833d57bb41e0e85349d3467c5cc85e0bdb73b838988e53dce4aa5acea5568d00f1f661e50a3886d4c27ecd296c54e92b1d3ea277de699004ff753

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
18cbec2990962203cc4697d6adf8e642

SHA1
5cc3ebe427be9056659bfa581d6675217325495a

SHA256
4dcc8baba41a27dd156e1af32b6bed379350fae7c642d9faeeb4c6c87d346049

SHA512
ff29162c6f9be66fabbb5e0e6970b87e1bd1e033423ca3e0176019fb991814a911b33fe5d43dd5203ad6161618188c31ff2626c35c468ac0067522b7e0a24afb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
1301a13a0b62ba61652cdbf2d61f80fa

SHA1
1911d1f0d097e8f5275a29e17b0bcef305df1d9e

SHA256
7e75ad955706d05f5934810aebbd3b5a7742d5e5766efd9c4fc17ee492b2f716

SHA512
66aa4261628bb31ee416af70f4159c02e5bbfbe2f7645e87d70bb35b1f20fa915d62b25d99cd72c59580d1f64e6c6b5ad36ace6600d3bcdb67f45036d768ed8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6EE2.tmp.dat

Filesize
114KB

MD5
e1bdc949ed4c93a97fa61c08b886f2cd

SHA1
05db7b0192094768b6f436a0c6e725a3377dded3

SHA256
463bff1de5e1a9ec2afe031a34ddf242df7f8b9a5803a285a842f4ad6320e1b9

SHA512
899b7b08b799405b82b16d542217039fa43203a08de91a9f1594c1c61f87135fb9cd11de08a15a9b69d7b5410853ddcf1797da004de736363085210660fac14d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6EF4.tmp.dat

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8672.tmp.tmpdb

Filesize
5.0MB

MD5
202bc5983df360b1354679e2a1b49b78

SHA1
1291fb2b6868939fdbe101d5c49c95086803aa23

SHA256
5b43e46d743f9456d445e0747f274612755e875d6f2a21bd27f217caa7e6ddbd

SHA512
7a3f434c4f6e5939762eb8791d089c7a76422a48969ec125c52a41216769fc626c69b53af43340fbb332f6972e40d91c62a81e39c74b5c72d41cc06bceef9aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8683.tmp.dat

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8685.tmp.tmpdb

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8688.tmp.dat

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8698.tmp.dat

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Filesize
210B

MD5
1267f4be35fbe5510886cf08ddee9fdd

SHA1
04e714a1c8a9d76e860c7cbbe7ebf62c71dea6b9

SHA256
ab038447adbfd1faf46f0d3bf6dc387621dc8435ab552696ec8d9bbe7a6a9ab3

SHA512
6f1bc0ad9eb850f37cddc2422e738f0cbbfe8a7a7e064c0c989cafbf0f7d5ae5bdfced4b3f93952688de3bfa338ff5a8c7258aff8397cdaccb36b23b5d16686b

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Filesize
315B

MD5
71227f862899452aa270d580a8b090c8

SHA1
13a6dc9506be2066777ec34acbe5ab62684c4929

SHA256
22e5316f3216208507c8ae67cbb2a90cfcf4389dae87f8f71c3388593eca57c1

SHA512
126c549e82d679bb9d3e229b09c3dded86b72aa5a98cb956a0d2a740ca43a4da14049134c3836c49ef50e76bb0a69fe158bb776a4c86a7e7b04893ced8ba5b5a

Download Submit
C:\Users\Admin\Downloads\net40.rar.crdownload

Filesize
173KB

MD5
be02331a664b6ad0d45dac52c9dc3b82

SHA1
2b22a36d5c71f77b2efbd016cecafc8cdba920e0

SHA256
cd9276db646acd91ec9ab4b8e549331fc95b200d1c07b05169040cb0624bd899

SHA512
0717b8e55881e379fcfa1625e56cc8f854768e718d4608675564d17c93a407d6e0d5579daf3a806f5fa7db6e5c3b4c87821d0a939279eeda7fb5d92bc2793892

Download Submit
C:\Users\Admin\Downloads\net40.rar:Zone.Identifier

Filesize
153B

MD5
d0d5f769019cb22b80d2791616e8dd76

SHA1
9fa409ad9a0f21bd23ee4201be975debf8cfa948

SHA256
9ee446d98f3acad9ef9ec22cd579a5e58df77359baace9b3cb97596431d14bd0

SHA512
c3d8247aa84dfaa7867f0a252b91906769eb6d69703cc6e29e03ef32644427fa0784daa170b77ee2b01ecbe8e424f4db930945897fbc5ec6df3ea8f92185e178

Download Submit
C:\Users\Admin\Downloads\net40\Insidious.exe

Filesize
303KB

MD5
9a816d269b61358c362f4179601deb79

SHA1
9b46453e2d22c5c2034277351e813e7a327e9b51

SHA256
8764d8993103b33627ab71eee710c7de224b30a3ffa9969d6d2ab22a4193f3de

SHA512
9af1110579eb7fdb83cc0c0ad93e79dd5b9a4c582a06df83143af5fa760dc751a53f5632eee40bbd6ecb255376c1b3552e4c0bfadf37d6e70a8361461565162f

Download Submit
C:\Users\Admin\Downloads\net40\Insidious.exe.config

Filesize
174B

MD5
29de2c28e23204909e646ee3489ce4ab

SHA1
1f75258825661c5e0464414de06805fc57de6686

SHA256
b1677d78346f02aa0ffaff28c796ba8f292ff801ec1a646909357a8298e372d2

SHA512
0cac4a63219b4f72e10bf2f9ec78a38a0e646028ca784b0208a380fe93e092ac6fb58a4d14f931765c99a352f314c90214e292504d843192fb2e5db9c5708d89

Download Submit
C:\Users\Admin\Downloads\net40\Insidious.pdb

Filesize
164KB

MD5
6a6b65efac3b7fe895b525a7234d2991

SHA1
eade77381fbac8b5cdf3849595cf39cbcb020d09

SHA256
a7d3054d43b6097b17b3ea024d67fc07796ea05def99971b388a9945c42764af

SHA512
c2fcc22d4bae9436ade891e58a305196cba76bb8fd2eaaebe5ac3a47a88d61676e1da1fb3eac81fe7cf92437bcd11e9287fdc0d3c0ed1a048413238b80fafddd

Download Submit
memory/2652-256-0x000002C12B180000-0x000002C12B181000-memory.dmp

Filesize
4KB

Download
memory/2652-260-0x000002C12B180000-0x000002C12B181000-memory.dmp

Filesize
4KB

Download
memory/2652-259-0x000002C12B180000-0x000002C12B181000-memory.dmp

Filesize
4KB

Download
memory/2652-262-0x000002C12B180000-0x000002C12B181000-memory.dmp

Filesize
4KB

Download
memory/2652-258-0x000002C12B180000-0x000002C12B181000-memory.dmp

Filesize
4KB

Download
memory/2652-252-0x000002C12B180000-0x000002C12B181000-memory.dmp

Filesize
4KB

Download
memory/2652-251-0x000002C12B180000-0x000002C12B181000-memory.dmp

Filesize
4KB

Download
memory/2652-250-0x000002C12B180000-0x000002C12B181000-memory.dmp

Filesize
4KB

Download
memory/2652-261-0x000002C12B180000-0x000002C12B181000-memory.dmp

Filesize
4KB

Download
memory/2652-257-0x000002C12B180000-0x000002C12B181000-memory.dmp

Filesize
4KB

Download
memory/4860-85-0x0000000000820000-0x0000000000872000-memory.dmp

Filesize
328KB

Download