xworm | eb050d5609042b0b8171889b6a34aadccab431c389e2d33a8e57afd332f69ac8

Analysis

max time kernel
148s
max time network
120s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
09/03/2025, 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nexol.exe
Size

448KB
MD5

69a831d62d8eb89c3327538d23ea3532
SHA1

c0364914fffa90df86357489802599401b0712ec
SHA256

eb050d5609042b0b8171889b6a34aadccab431c389e2d33a8e57afd332f69ac8
SHA512

21c3ca6b26bad70dff7e8c6dd26cdf89d0e311bcb6315505fc7ba068625ba8b4452dcd9ba3c714f68de7de5ed369e27b25e82438ad66fb327f1839c34a2a3877
SSDEEP

12288:tgmuiWCFstIScxuwu0iFsb9FYz6eEUFuYUgZ1jVDSFQx+:7uilFstIZMYiM923UgnDSFQx+

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

Mutex

aC2Uqwxt1JZnqhmD

Attributes

Install_directory
%Port%
install_file
explorer.exe
pastebin_url
https://pastebin.com/raw/jkeHBv0w

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000004e74-21.dat	family_xworm
behavioral1/memory/2324-23-0x0000000000310000-0x000000000031E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2792	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
2832	Rimess.exe
2764	Rimess.exe
2324	Rimess.exe
1640	Rimess.exe
3036	Rimess.exe
2536	Rimess.exe
2100	Rimess.exe
2456	Rimess.exe
856	Rimess.exe
1772	Rimess.exe
1500	Rimess.exe
340	Rimess.exe
2312	Rimess.exe
2056	Rimess.exe
1532	Rimess.exe
1940	Rimess.exe
2852	Rimess.exe
1372	Rimess.exe
2100	Rimess.exe
2404	Rimess.exe
1856	Rimess.exe
1008	Rimess.exe
756	Rimess.exe
692	Rimess.exe
2944	Rimess.exe
2560	Rimess.exe
1932	Rimess.exe
2716	Rimess.exe
2948	Rimess.exe
2852	Rimess.exe
2172	Rimess.exe
2152	Rimess.exe
2652	Rimess.exe
1556	Rimess.exe
1016	Rimess.exe
2180	Rimess.exe
1596	Rimess.exe
2740	Rimess.exe
2720	Rimess.exe
2784	Rimess.exe
2012	Rimess.exe
2640	Rimess.exe
2516	Rimess.exe
2188	Rimess.exe
2136	Rimess.exe
2344	Rimess.exe
632	Rimess.exe
1700	Rimess.exe
1336	Rimess.exe
1572	Rimess.exe
2312	Rimess.exe
2800	Rimess.exe
2212	Rimess.exe
588	Rimess.exe
1804	Rimess.exe
2640	Rimess.exe
1508	Rimess.exe
1040	Rimess.exe
1156	Rimess.exe
2040	Rimess.exe
808	Rimess.exe
1800	Rimess.exe
3068	Rimess.exe
1192	Rimess.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rimess = "C:\\Windows\\System32\\Rimess.exe"	Rimess.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com
3	pastebin.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\Rimess.exe	Rimess.exe
File opened for modification	C:\Windows\System32\Rimess.exe	Rimess.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1444	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2792	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2324	Rimess.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2832	2116	Nexol.exe	30
PID 2116 wrote to memory of 2832	2116	Nexol.exe	30
PID 2116 wrote to memory of 2832	2116	Nexol.exe	30
PID 2116 wrote to memory of 2928	2116	Nexol.exe	31
PID 2116 wrote to memory of 2928	2116	Nexol.exe	31
PID 2116 wrote to memory of 2928	2116	Nexol.exe	31
PID 2832 wrote to memory of 2792	2832	Rimess.exe	32
PID 2832 wrote to memory of 2792	2832	Rimess.exe	32
PID 2832 wrote to memory of 2792	2832	Rimess.exe	32
PID 2928 wrote to memory of 2764	2928	Nexol.exe	34
PID 2928 wrote to memory of 2764	2928	Nexol.exe	34
PID 2928 wrote to memory of 2764	2928	Nexol.exe	34
PID 2928 wrote to memory of 1940	2928	Nexol.exe	35
PID 2928 wrote to memory of 1940	2928	Nexol.exe	35
PID 2928 wrote to memory of 1940	2928	Nexol.exe	35
PID 2832 wrote to memory of 2324	2832	Rimess.exe	36
PID 2832 wrote to memory of 2324	2832	Rimess.exe	36
PID 2832 wrote to memory of 2324	2832	Rimess.exe	36
PID 1940 wrote to memory of 1640	1940	Nexol.exe	37
PID 1940 wrote to memory of 1640	1940	Nexol.exe	37
PID 1940 wrote to memory of 1640	1940	Nexol.exe	37
PID 1940 wrote to memory of 600	1940	Nexol.exe	38
PID 1940 wrote to memory of 600	1940	Nexol.exe	38
PID 1940 wrote to memory of 600	1940	Nexol.exe	38
PID 600 wrote to memory of 3036	600	Nexol.exe	39
PID 600 wrote to memory of 3036	600	Nexol.exe	39
PID 600 wrote to memory of 3036	600	Nexol.exe	39
PID 600 wrote to memory of 2580	600	Nexol.exe	40
PID 600 wrote to memory of 2580	600	Nexol.exe	40
PID 600 wrote to memory of 2580	600	Nexol.exe	40
PID 2580 wrote to memory of 2536	2580	Nexol.exe	41
PID 2580 wrote to memory of 2536	2580	Nexol.exe	41
PID 2580 wrote to memory of 2536	2580	Nexol.exe	41
PID 2580 wrote to memory of 2144	2580	Nexol.exe	42
PID 2580 wrote to memory of 2144	2580	Nexol.exe	42
PID 2580 wrote to memory of 2144	2580	Nexol.exe	42
PID 2144 wrote to memory of 2100	2144	Nexol.exe	43
PID 2144 wrote to memory of 2100	2144	Nexol.exe	43
PID 2144 wrote to memory of 2100	2144	Nexol.exe	43
PID 2144 wrote to memory of 1960	2144	Nexol.exe	44
PID 2144 wrote to memory of 1960	2144	Nexol.exe	44
PID 2144 wrote to memory of 1960	2144	Nexol.exe	44
PID 1960 wrote to memory of 2456	1960	Nexol.exe	46
PID 1960 wrote to memory of 2456	1960	Nexol.exe	46
PID 1960 wrote to memory of 2456	1960	Nexol.exe	46
PID 1960 wrote to memory of 2040	1960	Nexol.exe	47
PID 1960 wrote to memory of 2040	1960	Nexol.exe	47
PID 1960 wrote to memory of 2040	1960	Nexol.exe	47
PID 2040 wrote to memory of 856	2040	Nexol.exe	48
PID 2040 wrote to memory of 856	2040	Nexol.exe	48
PID 2040 wrote to memory of 856	2040	Nexol.exe	48
PID 2040 wrote to memory of 708	2040	Nexol.exe	49
PID 2040 wrote to memory of 708	2040	Nexol.exe	49
PID 2040 wrote to memory of 708	2040	Nexol.exe	49
PID 708 wrote to memory of 1772	708	Nexol.exe	50
PID 708 wrote to memory of 1772	708	Nexol.exe	50
PID 708 wrote to memory of 1772	708	Nexol.exe	50
PID 708 wrote to memory of 1016	708	Nexol.exe	51
PID 708 wrote to memory of 1016	708	Nexol.exe	51
PID 708 wrote to memory of 1016	708	Nexol.exe	51
PID 1016 wrote to memory of 1500	1016	Nexol.exe	52
PID 1016 wrote to memory of 1500	1016	Nexol.exe	52
PID 1016 wrote to memory of 1500	1016	Nexol.exe	52
PID 1016 wrote to memory of 2064	1016	Nexol.exe	53

C:\Users\Admin\AppData\Local\Temp\Nexol.exe
"C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\Rimess.exe
  "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Rimess.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2792
- - C:\Windows\System32\Rimess.exe
    "C:\Windows\System32\Rimess.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2324
  - - C:\Windows\System32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp13DE.tmp.bat""
      4⤵
      PID:2788
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1444
- C:\Users\Admin\AppData\Local\Temp\Nexol.exe
  "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Users\Admin\AppData\Local\Temp\Rimess.exe
    "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
    3⤵
    - Executes dropped EXE
    PID:2764
- - C:\Users\Admin\AppData\Local\Temp\Nexol.exe
    "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\Rimess.exe
      "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
      4⤵
      Executes dropped EXE
      PID:1640
  - - C:\Users\Admin\AppData\Local\Temp\Nexol.exe
      "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:600
    - - C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        5⤵
        Executes dropped EXE
        
        PID:3036
    - - C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2580
      - C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        6⤵
        Executes dropped EXE
        
        PID:2536
      - C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        7⤵
        Executes dropped EXE
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        8⤵
        Executes dropped EXE
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        9⤵
        Executes dropped EXE
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        10⤵
        Executes dropped EXE
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        11⤵
        Executes dropped EXE
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        11⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        12⤵
        Executes dropped EXE
        
        PID:340
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        12⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        13⤵
        Executes dropped EXE
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        13⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        14⤵
        Executes dropped EXE
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        14⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        15⤵
        Executes dropped EXE
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        15⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        16⤵
        Executes dropped EXE
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        16⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        17⤵
        Executes dropped EXE
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        17⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        18⤵
        Executes dropped EXE
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        18⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        19⤵
        Executes dropped EXE
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        19⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        20⤵
        Executes dropped EXE
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        20⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        21⤵
        Executes dropped EXE
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        21⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        22⤵
        Executes dropped EXE
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        22⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        23⤵
        Executes dropped EXE
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        23⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        24⤵
        Executes dropped EXE
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        24⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        25⤵
        Executes dropped EXE
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        25⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        26⤵
        Executes dropped EXE
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        26⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        27⤵
        Executes dropped EXE
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        27⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        28⤵
        Executes dropped EXE
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        28⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        29⤵
        Executes dropped EXE
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        29⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        30⤵
        Executes dropped EXE
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        30⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        31⤵
        Executes dropped EXE
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        31⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        32⤵
        Executes dropped EXE
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        32⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        33⤵
        Executes dropped EXE
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        33⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        34⤵
        Executes dropped EXE
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        34⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        35⤵
        Executes dropped EXE
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        35⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        36⤵
        Executes dropped EXE
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        36⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        37⤵
        Executes dropped EXE
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        37⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        38⤵
        Executes dropped EXE
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        38⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        39⤵
        Executes dropped EXE
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        39⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        40⤵
        Executes dropped EXE
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        40⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        41⤵
        Executes dropped EXE
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        41⤵
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        42⤵
        Executes dropped EXE
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        42⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        43⤵
        Executes dropped EXE
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        43⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        44⤵
        Executes dropped EXE
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        44⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        45⤵
        Executes dropped EXE
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        45⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        46⤵
        Executes dropped EXE
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        46⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        47⤵
        Executes dropped EXE
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        47⤵
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        48⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        48⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        49⤵
        Executes dropped EXE
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        49⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        50⤵
        Executes dropped EXE
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        50⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        51⤵
        Executes dropped EXE
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        51⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        52⤵
        Executes dropped EXE
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        52⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        53⤵
        Executes dropped EXE
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        53⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        54⤵
        Executes dropped EXE
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        54⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        55⤵
        Executes dropped EXE
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        55⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        56⤵
        Executes dropped EXE
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        56⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        57⤵
        Executes dropped EXE
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        57⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        58⤵
        Executes dropped EXE
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        58⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        59⤵
        Executes dropped EXE
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        59⤵
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        60⤵
        Executes dropped EXE
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        60⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        61⤵
        Executes dropped EXE
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        61⤵
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        62⤵
        Executes dropped EXE
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        62⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        63⤵
        Executes dropped EXE
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        63⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        64⤵
        Executes dropped EXE
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        64⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        65⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        65⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        66⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        66⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        67⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        67⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        68⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        68⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        69⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        69⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        70⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        70⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        71⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        71⤵
        
        PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Rimess.exe

Filesize
29KB

MD5
a9ea8b23eb527c0a03541d5f85ec8205

SHA1
49d3357d63f633dd3f85e0b651e230c9b3d496a1

SHA256
41ba6c9a22b82e964837b99b974f6be09009d6f0dfdf32733a1380657ff84e0a

SHA512
9aa39d7f53764080461142ab64c20d75e6a6f62f76c0acee9347341e45ef5217f4bf113671e088eca4dc312bef74b6278adea44fb590ad5abf98d1fa3b800d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp13DE.tmp.bat

Filesize
144B

MD5
8b25dc7f47c31c12612de673bb6192ef

SHA1
b31dbf9ddcdfda334ead8b0dcea8fb3309fa3720

SHA256
2a5eacc0fa11b1704101a7ef3c0165e5fae87cf859f7b5e17198c4be41ff4b38

SHA512
8924b0b0222c90fcb71a3fc50612aa15760d8b46c407617ffd3477cf053e73bb56be5de8347b82e1d2694514a057076c877a3e0cf8f9cb18c529012fac85d1ae

Download Submit
C:\Windows\System32\Rimess.exe

Filesize
30KB

MD5
76cdbd5ca528f810989e4ccaf2f41a37

SHA1
5082ddba41cfebd186f246ce60b01d7c8a0ba469

SHA256
d33db6a622c58b135f7a7bc5308751687b656cc7006d6d289c8b55292212bde2

SHA512
0c94936a9140da807d20a4a6bfeb2778e7d72081427394a689a6c9140d49ce767044a174e99a686a6e54985028af6694b3489616cb799a04ef5b1c590ee68208

Download Submit
memory/340-60-0x0000000001210000-0x000000000121E000-memory.dmp

Filesize
56KB

Download
memory/588-192-0x0000000000E10000-0x0000000000E1E000-memory.dmp

Filesize
56KB

Download
memory/856-41-0x0000000000E40000-0x0000000000E4E000-memory.dmp

Filesize
56KB

Download
memory/1008-109-0x0000000000ED0000-0x0000000000EDE000-memory.dmp

Filesize
56KB

Download
memory/1156-208-0x00000000008F0000-0x00000000008FE000-memory.dmp

Filesize
56KB

Download
memory/1336-173-0x0000000000F90000-0x0000000000F9E000-memory.dmp

Filesize
56KB

Download
memory/1372-86-0x0000000000260000-0x000000000026E000-memory.dmp

Filesize
56KB

Download
memory/1500-54-0x0000000000B80000-0x0000000000B8E000-memory.dmp

Filesize
56KB

Download
memory/1508-204-0x00000000001A0000-0x00000000001AE000-memory.dmp

Filesize
56KB

Download
memory/1556-148-0x00000000003E0000-0x00000000003EE000-memory.dmp

Filesize
56KB

Download
memory/1640-25-0x00000000001B0000-0x00000000001BE000-memory.dmp

Filesize
56KB

Download
memory/1644-238-0x0000000000FA0000-0x0000000000FAE000-memory.dmp

Filesize
56KB

Download
memory/1700-169-0x00000000000A0000-0x00000000000AE000-memory.dmp

Filesize
56KB

Download
memory/1708-246-0x0000000000B70000-0x0000000000B7E000-memory.dmp

Filesize
56KB

Download
memory/1772-47-0x0000000001110000-0x000000000111E000-memory.dmp

Filesize
56KB

Download
memory/1800-219-0x0000000000C00000-0x0000000000C0E000-memory.dmp

Filesize
56KB

Download
memory/1804-196-0x00000000010C0000-0x00000000010CE000-memory.dmp

Filesize
56KB

Download
memory/1856-103-0x0000000000B00000-0x0000000000B0E000-memory.dmp

Filesize
56KB

Download
memory/1932-124-0x0000000000AD0000-0x0000000000ADE000-memory.dmp

Filesize
56KB

Download
memory/2040-212-0x00000000000C0000-0x00000000000CE000-memory.dmp

Filesize
56KB

Download
memory/2056-72-0x0000000000370000-0x000000000037E000-memory.dmp

Filesize
56KB

Download
memory/2116-9-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download
memory/2116-6-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download
memory/2116-1-0x0000000000A00000-0x0000000000A76000-memory.dmp

Filesize
472KB

Download
memory/2116-0-0x000007FEF5683000-0x000007FEF5684000-memory.dmp

Filesize
4KB

Download
memory/2116-226-0x0000000000860000-0x000000000086E000-memory.dmp

Filesize
56KB

Download
memory/2152-141-0x0000000000010000-0x000000000001E000-memory.dmp

Filesize
56KB

Download
memory/2172-135-0x0000000000B60000-0x0000000000B6E000-memory.dmp

Filesize
56KB

Download
memory/2188-164-0x00000000002F0000-0x00000000002FE000-memory.dmp

Filesize
56KB

Download
memory/2236-250-0x00000000010D0000-0x00000000010DE000-memory.dmp

Filesize
56KB

Download
memory/2264-242-0x00000000013E0000-0x00000000013EE000-memory.dmp

Filesize
56KB

Download
memory/2312-177-0x00000000011D0000-0x00000000011DE000-memory.dmp

Filesize
56KB

Download
memory/2312-66-0x0000000001350000-0x000000000135E000-memory.dmp

Filesize
56KB

Download
memory/2324-23-0x0000000000310000-0x000000000031E000-memory.dmp

Filesize
56KB

Download
memory/2324-48-0x00000000004E0000-0x00000000004EA000-memory.dmp

Filesize
40KB

Download
memory/2344-165-0x00000000009A0000-0x00000000009AE000-memory.dmp

Filesize
56KB

Download
memory/2404-97-0x0000000000180000-0x000000000018E000-memory.dmp

Filesize
56KB

Download
memory/2456-35-0x00000000008A0000-0x00000000008AE000-memory.dmp

Filesize
56KB

Download
memory/2640-200-0x0000000000D20000-0x0000000000D2E000-memory.dmp

Filesize
56KB

Download
memory/2640-162-0x0000000001250000-0x000000000125E000-memory.dmp

Filesize
56KB

Download
memory/2784-159-0x0000000000D30000-0x0000000000D3E000-memory.dmp

Filesize
56KB

Download
memory/2792-16-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2792-15-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2800-181-0x0000000001040000-0x000000000104E000-memory.dmp

Filesize
56KB

Download
memory/2824-230-0x0000000000FB0000-0x0000000000FBE000-memory.dmp

Filesize
56KB

Download
memory/2832-8-0x0000000000FD0000-0x0000000000FDE000-memory.dmp

Filesize
56KB

Download
memory/2852-80-0x0000000000EA0000-0x0000000000EAE000-memory.dmp

Filesize
56KB

Download
memory/2852-129-0x00000000000E0000-0x00000000000EE000-memory.dmp

Filesize
56KB

Download
memory/2944-113-0x00000000012A0000-0x00000000012AE000-memory.dmp

Filesize
56KB

Download
memory/2948-127-0x0000000000230000-0x000000000023E000-memory.dmp

Filesize
56KB

Download
memory/3012-234-0x00000000003D0000-0x00000000003DE000-memory.dmp

Filesize
56KB

Download
memory/3036-27-0x0000000000980000-0x000000000098E000-memory.dmp

Filesize
56KB

Download