44caliber | 99bf031f23b1759702a56ccfc9425f0a063654dcc4a94d8feeb89792c82f3082

Analysis

max time kernel
75s
max time network
148s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fix.exe
Size

35KB
MD5

83bbe29b99a54bad48074efb72ce1fcc
SHA1

421deeba13130a8eebacc8c7f48f28e6fe8485f2
SHA256

99bf031f23b1759702a56ccfc9425f0a063654dcc4a94d8feeb89792c82f3082
SHA512

67fe2ac907c297cd3c4d1af7f80257b468bc4e73cab428568ea1238d41cd8c43262765a0b0d43b2accb003901a66e9e7ec162fefda2fd89040697e1e168ac27f
SSDEEP

768:ChiLce92aOrsQiUy5FyS9ZL6LOjhibold:ChkceWsQi5FT9ZL6LOjGo7

Score

10^/10

44caliber xworm execution persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

20.ip.gl.ply.gg:53765

Mutex

JCfj6Aifpywc6Ul9

Attributes

Install_directory
%AppData%
install_file
svchost.exe

aes.plain

Extracted

Family

44caliber

https://discordapp.com/api/webhooks/1257280785476489217/L0UpV_ifGB55FAhZrd11A9RdK3XS9SxV4y_plmFbDZcUnmaJOTP9fgCIl4fpiKvDuv1o

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2024-1-0x0000000000DA0000-0x0000000000DB0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2460 powershell.exe
2800 powershell.exe
2656 powershell.exe
2164 powershell.exe

pid	process
2460	powershell.exe
2800	powershell.exe
2656	powershell.exe
2164	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fix.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	fix.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exechrome.exe

pid process

2460 powershell.exe
2800 powershell.exe
2656 powershell.exe
2164 powershell.exe
372 chrome.exe
372 chrome.exe
372 chrome.exe

pid	process
2460	powershell.exe
2800	powershell.exe
2656	powershell.exe
2164	powershell.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

Processes:

fix.exepowershell.exepowershell.exepowershell.exepowershell.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	2024	fix.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	2024	fix.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe
Token: SeShutdownPrivilege	372	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe
372	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fix.exechrome.exe

description	pid	process	target process
PID 2024 wrote to memory of 2460	2024	fix.exe	powershell.exe
PID 2024 wrote to memory of 2460	2024	fix.exe	powershell.exe
PID 2024 wrote to memory of 2460	2024	fix.exe	powershell.exe
PID 2024 wrote to memory of 2800	2024	fix.exe	powershell.exe
PID 2024 wrote to memory of 2800	2024	fix.exe	powershell.exe
PID 2024 wrote to memory of 2800	2024	fix.exe	powershell.exe
PID 2024 wrote to memory of 2656	2024	fix.exe	powershell.exe
PID 2024 wrote to memory of 2656	2024	fix.exe	powershell.exe
PID 2024 wrote to memory of 2656	2024	fix.exe	powershell.exe
PID 2024 wrote to memory of 2164	2024	fix.exe	powershell.exe
PID 2024 wrote to memory of 2164	2024	fix.exe	powershell.exe
PID 2024 wrote to memory of 2164	2024	fix.exe	powershell.exe
PID 372 wrote to memory of 1964	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1964	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1964	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1620	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1208	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1208	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1208	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1996	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1996	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1996	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1996	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1996	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1996	372	chrome.exe	chrome.exe
PID 372 wrote to memory of 1996	372	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\fix.exe
"C:\Users\Admin\AppData\Local\Temp\fix.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fix.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'fix.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\Users\Admin\AppData\Local\Temp\nvbpln.exe
  "C:\Users\Admin\AppData\Local\Temp\nvbpln.exe"
  2⤵
  PID:2732
- C:\Users\Admin\AppData\Local\Temp\jhvbeh.exe
  "C:\Users\Admin\AppData\Local\Temp\jhvbeh.exe"
  2⤵
  PID:844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef1a89758,0x7fef1a89768,0x7fef1a89778
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1092 --field-trial-handle=1348,i,10381174491199984685,13930553844737196264,131072 /prefetch:2
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1348,i,10381174491199984685,13930553844737196264,131072 /prefetch:8
  2⤵
  PID:1208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1348,i,10381174491199984685,13930553844737196264,131072 /prefetch:8
  2⤵
  PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2308 --field-trial-handle=1348,i,10381174491199984685,13930553844737196264,131072 /prefetch:1
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2316 --field-trial-handle=1348,i,10381174491199984685,13930553844737196264,131072 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1372 --field-trial-handle=1348,i,10381174491199984685,13930553844737196264,131072 /prefetch:2
  2⤵
  PID:1140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3128 --field-trial-handle=1348,i,10381174491199984685,13930553844737196264,131072 /prefetch:1
  2⤵
  PID:600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3380 --field-trial-handle=1348,i,10381174491199984685,13930553844737196264,131072 /prefetch:8
  2⤵
  PID:868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3528 --field-trial-handle=1348,i,10381174491199984685,13930553844737196264,131072 /prefetch:8
  2⤵
  PID:2472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3600 --field-trial-handle=1348,i,10381174491199984685,13930553844737196264,131072 /prefetch:1
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1468 --field-trial-handle=1348,i,10381174491199984685,13930553844737196264,131072 /prefetch:8
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3448 --field-trial-handle=1348,i,10381174491199984685,13930553844737196264,131072 /prefetch:1
  2⤵
  PID:2108

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f8da23a58134a767906b88767117e90

SHA1
8b0d9e867dc8c7cfb55101b9d567df92aa13eed5

SHA256
e3e064a262dafb7329c5d14a3f8bb4f36cc277841a5015429e439b2d165a0978

SHA512
e9c064ff2ec5d54ed51021199c412b8df78b4ea5bc6a13e130b11bf84c3e93f9549d850a8105121029ff0429255cd47d09b2ba2f66fab2ab644ff42502d31508

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1fd257ab7153f5a8fafb5e685163f004

SHA1
f883df70f541d47df97dd60cfbd1788637837516

SHA256
5f76b2045a5c6a295babf20ea9a5cdf638c9dd025f57ed0d5588e3e732009d9b

SHA512
5e693ed9ca0a833445a19cbad087a34491c96bae40edeeab5979fa218fde8f04ed0423e669ffe4b6cb455e272cd2e9acfbb877eee6d12e40938481b2781006cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc2241d96f3c20f046a7a287a61eee4e

SHA1
e1dca1b26874e64d6a08c871aa8f8c66a15e651f

SHA256
2df16b2441c7842f241ebf76a1274b08462a0657bd210eba86b19455e850e304

SHA512
a8a4d193818953d46fa56380cf8456c1e0b6adb5bbddd3a3494e8a7b6e2f5f82200cb3e6c3f1d868cec3edae8e151400ea525d76a33ca111df668294ab518646

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e98d544d9842f18f6a4a88248b7bd083

SHA1
6d437d789b3691d6dcbfe54cd2a655cb096eadf8

SHA256
7baa410ad31de8c6f7dc097c79945925f366adb048c7d4457251908ada2a0a70

SHA512
b880af9f8050275e68b82a41e620a0fdbcb35af8da179249b83be15ce90a1b2d88b959690198f07c44007788c9b5a73f61e0dfd6e73a82db866e9a68568aee6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d3ce8a3d8ca050c841a1d4b301c58317

SHA1
cca92dc812b35b070b7a7c41dbccbd6eaa905514

SHA256
aa8ab791d36e521ca353254ecffbeb53100e90c3f5900c32a09443add8ad9dda

SHA512
050aadb98aa7392248c47acbcdf49c476479c3b0e649caac645ab6d026c9bc55274458c0791cf9f6889010f2d55cc4897995adb49fcde627adfc63b6e1167425

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
364B

MD5
d1db913506bedea37d38081c70b2f818

SHA1
3fc6dedcbee8031a952b84eccedb614c26aa983c

SHA256
51d2703a4e2f805786b9f76e3d6701dfe470aa691688ad668fae292ec5e2c88f

SHA512
0913bae835fcac85eaf3990b3313c458b6d3e88c9e7dd802204e15193664bf922a5089b61dc3b86fcdf3b222df593a147c282d192b30ad711c74ab9da8d911fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6ce7bc4b30d151e4c10ddb25dccc905e

SHA1
d72158729e5a1e8ce61e7e577d164244f8296966

SHA256
bc781529443ef820e3224c67a262b5d954370725d988d8ca3f826a7756d28649

SHA512
1a4eadfe612c27c087c274c9cda3d18c48de2dbf2b8a978f0cea5ca1400e311679e87818a86a0d2400575be7f052ee4023a329c64be507c63b3ea8594b4870ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8c5c6eac180f6635638feba8493c2b85

SHA1
89f1bcf0acd665bf5871fc2337a4394f4b78a65a

SHA256
8247889a3c222d9c12796a6d274254ef411bb2d528f2954ec120d9e2521c52da

SHA512
3e2c3e4999437c2f214c02d63a89f7660f058b84660f1ecd46c705d477956791a8d105fb572fef27baa83525792140291a33732eaaf96f67df7a62e7a32c4602

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
28b6efaf5f9e482e71ccbf3ab816a5c9

SHA1
5fa60e083fe46b06c19669ad52ddc0106aa7946e

SHA256
0e7ce83c37de488697d13c3f2ffab1bc811bd7ff632363ce87fc60c8cc0b333e

SHA512
d48bdaa466ddf96c42bb751ce582873623c8ab314f021104581bf12cc83a62a0af49a62b8c72c81b15e96f9a863a0d05721a88cd40e898499fa6858465bff0ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
bfe6814c084009547f8f3df6944dc983

SHA1
76ec239545feb85a427a0ed877bce9960a7fc019

SHA256
776ea32bc27d98dadd829282b30befefc1545580b868285d27993d083a18537b

SHA512
8ccd6de5ccc4aac5027830aacabdd52f92a1fee5d12054c0a721714f23fb73176f4db7c6587b86d8f987b69bbc9e5cd591c135430075a34f6a12d1b587132fe0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

Filesize
92KB

MD5
e531cf4fa67dea48d7a8ae181b3f8997

SHA1
838e93db14e521be8616bc11b4ce5a3de10d2890

SHA256
33d48f5993f3679ec668a5e09c50611ad50cc39fff367c14964056c823693aca

SHA512
7322647367aa4067388e9c454d98a3caea9cd2ea7e91dbcde2b3052520ede628c47dfb8b0e25dc04f227f04b522b2b01d7efd34d534fd4d9bc0f23d89bba2e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF9DB.tmp

Filesize
67KB

MD5
2d3dcf90f6c99f47e7593ea250c9e749

SHA1
51be82be4a272669983313565b4940d4b1385237

SHA256
8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4

SHA512
9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFE93.tmp

Filesize
160KB

MD5
7186ad693b8ad9444401bd9bcd2217c2

SHA1
5c28ca10a650f6026b0df4737078fa4197f3bac1

SHA256
9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed

SHA512
135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nvbpln.exe

Filesize
303KB

MD5
89069c3d83c29f44929e8f73e5672643

SHA1
8d2808c427dc3a039de3ab0902c7454d46d2a4a4

SHA256
69c4efe455f5c826e1c9df05518546a282efd01513c5ac811a9399f74e494216

SHA512
c81dd0189efc4e92813f4e9f224c59a246e8bec8b19185cc0a43da909a5acead5378b6b126bece793cd3d17fc25cf2f8a29d2a74169557317cf57252716beb08

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ad0adb7edf57406e98919536868ea118

SHA1
0e300650c3445dee54dd193dc6802f9dbf725bc8

SHA256
f1ccfc0d6e49ad17d23e3cf0219f47b25660ddde916cde1a041344a3f4a2f60d

SHA512
44db064b74da8e2d2041b0957133a5177454d1502b61621118edea1f64027035770aa6f7351169013e3da8f996ef2ac9a74b9952baf9b20aa42e5efa4144c002

Download Submit
\??\pipe\crashpad_372_LZXIHCDYLQBMQTEV

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/844-603-0x0000000000810000-0x0000000000862000-memory.dmp

Filesize
328KB

Download
memory/2024-518-0x00000000005B0000-0x00000000005BC000-memory.dmp

Filesize
48KB

Download
memory/2024-27-0x000000001B250000-0x000000001B2D0000-memory.dmp

Filesize
512KB

Download
memory/2024-0-0x000007FEF5743000-0x000007FEF5744000-memory.dmp

Filesize
4KB

Download
memory/2024-28-0x000007FEF5743000-0x000007FEF5744000-memory.dmp

Filesize
4KB

Download
memory/2024-29-0x000000001B250000-0x000000001B2D0000-memory.dmp

Filesize
512KB

Download
memory/2024-1-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

Filesize
64KB

Download
memory/2460-8-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download
memory/2460-7-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/2460-6-0x0000000002E20000-0x0000000002EA0000-memory.dmp

Filesize
512KB

Download
memory/2732-561-0x0000000000D10000-0x0000000000D62000-memory.dmp

Filesize
328KB

Download
memory/2800-15-0x00000000027F0000-0x00000000027F8000-memory.dmp

Filesize
32KB

Download
memory/2800-14-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download