xworm | eb050d5609042b0b8171889b6a34aadccab431c389e2d33a8e57afd332f69ac8

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/03/2025, 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nexol.exe
Size

448KB
MD5

69a831d62d8eb89c3327538d23ea3532
SHA1

c0364914fffa90df86357489802599401b0712ec
SHA256

eb050d5609042b0b8171889b6a34aadccab431c389e2d33a8e57afd332f69ac8
SHA512

21c3ca6b26bad70dff7e8c6dd26cdf89d0e311bcb6315505fc7ba068625ba8b4452dcd9ba3c714f68de7de5ed369e27b25e82438ad66fb327f1839c34a2a3877
SSDEEP

12288:tgmuiWCFstIScxuwu0iFsb9FYz6eEUFuYUgZ1jVDSFQx+:7uilFstIZMYiM923UgnDSFQx+

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

Mutex

aC2Uqwxt1JZnqhmD

Attributes

Install_directory
%Port%
install_file
explorer.exe
pastebin_url
https://pastebin.com/raw/jkeHBv0w

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000004e74-22.dat	family_xworm
behavioral1/memory/1096-23-0x0000000000090000-0x000000000009E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2668	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
2844	Rimess.exe
2720	Rimess.exe
1096	Rimess.exe
2856	Rimess.exe
1728	Rimess.exe
1140	Rimess.exe
2936	Rimess.exe
2260	Rimess.exe
2532	Rimess.exe
2952	Rimess.exe
2080	Rimess.exe
3032	Rimess.exe
2456	Rimess.exe
2656	Rimess.exe
2840	Rimess.exe
2404	Rimess.exe
664	Rimess.exe
1820	Rimess.exe
1728	Rimess.exe
2244	Rimess.exe
1892	Rimess.exe
2256	Rimess.exe
980	Rimess.exe
956	Rimess.exe
2952	Rimess.exe
888	Rimess.exe
2904	Rimess.exe
2680	Rimess.exe
2328	Rimess.exe
2656	Rimess.exe
1040	Rimess.exe
2720	Rimess.exe
676	Rimess.exe
1876	Rimess.exe
1792	Rimess.exe
2400	Rimess.exe
1676	Rimess.exe
2960	Rimess.exe
1376	Rimess.exe
2116	Rimess.exe
1516	Rimess.exe
2572	Rimess.exe
2760	Rimess.exe
3000	Rimess.exe
1284	Rimess.exe
2096	Rimess.exe
2208	Rimess.exe
1876	Rimess.exe
2188	Rimess.exe
1724	Rimess.exe
2512	Rimess.exe
612	Rimess.exe
1908	Rimess.exe
2708	Rimess.exe
1204	Rimess.exe
964	Rimess.exe
844	Rimess.exe
1880	Rimess.exe
2236	Rimess.exe
2096	Rimess.exe
1612	Rimess.exe
2076	Rimess.exe
2176	Rimess.exe
788	Rimess.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rimess = "C:\\Windows\\System32\\Rimess.exe"	Rimess.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\Rimess.exe	Rimess.exe
File opened for modification	C:\Windows\System32\Rimess.exe	Rimess.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2668	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	1096	Rimess.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2844	2788	Nexol.exe	31
PID 2788 wrote to memory of 2844	2788	Nexol.exe	31
PID 2788 wrote to memory of 2844	2788	Nexol.exe	31
PID 2788 wrote to memory of 2916	2788	Nexol.exe	32
PID 2788 wrote to memory of 2916	2788	Nexol.exe	32
PID 2788 wrote to memory of 2916	2788	Nexol.exe	32
PID 2916 wrote to memory of 2720	2916	Nexol.exe	33
PID 2916 wrote to memory of 2720	2916	Nexol.exe	33
PID 2916 wrote to memory of 2720	2916	Nexol.exe	33
PID 2916 wrote to memory of 2836	2916	Nexol.exe	34
PID 2916 wrote to memory of 2836	2916	Nexol.exe	34
PID 2916 wrote to memory of 2836	2916	Nexol.exe	34
PID 2844 wrote to memory of 2668	2844	Rimess.exe	35
PID 2844 wrote to memory of 2668	2844	Rimess.exe	35
PID 2844 wrote to memory of 2668	2844	Rimess.exe	35
PID 2844 wrote to memory of 1096	2844	Rimess.exe	37
PID 2844 wrote to memory of 1096	2844	Rimess.exe	37
PID 2844 wrote to memory of 1096	2844	Rimess.exe	37
PID 2836 wrote to memory of 2856	2836	Nexol.exe	38
PID 2836 wrote to memory of 2856	2836	Nexol.exe	38
PID 2836 wrote to memory of 2856	2836	Nexol.exe	38
PID 2836 wrote to memory of 2864	2836	Nexol.exe	39
PID 2836 wrote to memory of 2864	2836	Nexol.exe	39
PID 2836 wrote to memory of 2864	2836	Nexol.exe	39
PID 2864 wrote to memory of 1728	2864	Nexol.exe	40
PID 2864 wrote to memory of 1728	2864	Nexol.exe	40
PID 2864 wrote to memory of 1728	2864	Nexol.exe	40
PID 2864 wrote to memory of 1148	2864	Nexol.exe	41
PID 2864 wrote to memory of 1148	2864	Nexol.exe	41
PID 2864 wrote to memory of 1148	2864	Nexol.exe	41
PID 1148 wrote to memory of 1140	1148	Nexol.exe	42
PID 1148 wrote to memory of 1140	1148	Nexol.exe	42
PID 1148 wrote to memory of 1140	1148	Nexol.exe	42
PID 1148 wrote to memory of 532	1148	Nexol.exe	43
PID 1148 wrote to memory of 532	1148	Nexol.exe	43
PID 1148 wrote to memory of 532	1148	Nexol.exe	43
PID 532 wrote to memory of 2936	532	Nexol.exe	44
PID 532 wrote to memory of 2936	532	Nexol.exe	44
PID 532 wrote to memory of 2936	532	Nexol.exe	44
PID 532 wrote to memory of 2068	532	Nexol.exe	45
PID 532 wrote to memory of 2068	532	Nexol.exe	45
PID 532 wrote to memory of 2068	532	Nexol.exe	45
PID 2068 wrote to memory of 2260	2068	Nexol.exe	46
PID 2068 wrote to memory of 2260	2068	Nexol.exe	46
PID 2068 wrote to memory of 2260	2068	Nexol.exe	46
PID 2068 wrote to memory of 652	2068	Nexol.exe	47
PID 2068 wrote to memory of 652	2068	Nexol.exe	47
PID 2068 wrote to memory of 652	2068	Nexol.exe	47
PID 652 wrote to memory of 2532	652	Nexol.exe	48
PID 652 wrote to memory of 2532	652	Nexol.exe	48
PID 652 wrote to memory of 2532	652	Nexol.exe	48
PID 652 wrote to memory of 2960	652	Nexol.exe	49
PID 652 wrote to memory of 2960	652	Nexol.exe	49
PID 652 wrote to memory of 2960	652	Nexol.exe	49
PID 2960 wrote to memory of 2952	2960	Nexol.exe	50
PID 2960 wrote to memory of 2952	2960	Nexol.exe	50
PID 2960 wrote to memory of 2952	2960	Nexol.exe	50
PID 2960 wrote to memory of 1528	2960	Nexol.exe	51
PID 2960 wrote to memory of 1528	2960	Nexol.exe	51
PID 2960 wrote to memory of 1528	2960	Nexol.exe	51
PID 1528 wrote to memory of 2080	1528	Nexol.exe	52
PID 1528 wrote to memory of 2080	1528	Nexol.exe	52
PID 1528 wrote to memory of 2080	1528	Nexol.exe	52
PID 1528 wrote to memory of 2372	1528	Nexol.exe	53

C:\Users\Admin\AppData\Local\Temp\Nexol.exe
"C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Local\Temp\Rimess.exe
  "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Rimess.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2668
- - C:\Windows\System32\Rimess.exe
    "C:\Windows\System32\Rimess.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1096
- C:\Users\Admin\AppData\Local\Temp\Nexol.exe
  "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Users\Admin\AppData\Local\Temp\Rimess.exe
    "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
    3⤵
    - Executes dropped EXE
    PID:2720
- - C:\Users\Admin\AppData\Local\Temp\Nexol.exe
    "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Users\Admin\AppData\Local\Temp\Rimess.exe
      "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
      4⤵
      Executes dropped EXE
      PID:2856
  - - C:\Users\Admin\AppData\Local\Temp\Nexol.exe
      "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        5⤵
        Executes dropped EXE
        
        PID:1728
    - - C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1148
      - C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        6⤵
        Executes dropped EXE
        
        PID:1140
      - C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        7⤵
        Executes dropped EXE
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        8⤵
        Executes dropped EXE
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        9⤵
        Executes dropped EXE
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        10⤵
        Executes dropped EXE
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        11⤵
        Executes dropped EXE
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        11⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        12⤵
        Executes dropped EXE
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        12⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        13⤵
        Executes dropped EXE
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        13⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        14⤵
        Executes dropped EXE
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        14⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        15⤵
        Executes dropped EXE
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        15⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        16⤵
        Executes dropped EXE
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        16⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        17⤵
        Executes dropped EXE
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        17⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        18⤵
        Executes dropped EXE
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        18⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        19⤵
        Executes dropped EXE
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        19⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        20⤵
        Executes dropped EXE
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        20⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        21⤵
        Executes dropped EXE
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        21⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        22⤵
        Executes dropped EXE
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        22⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        23⤵
        Executes dropped EXE
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        23⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        24⤵
        Executes dropped EXE
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        24⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        25⤵
        Executes dropped EXE
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        25⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        26⤵
        Executes dropped EXE
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        26⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        27⤵
        Executes dropped EXE
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        27⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        28⤵
        Executes dropped EXE
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        28⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        29⤵
        Executes dropped EXE
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        29⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        30⤵
        Executes dropped EXE
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        30⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        31⤵
        Executes dropped EXE
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        31⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        32⤵
        Executes dropped EXE
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        32⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        33⤵
        Executes dropped EXE
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        33⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        34⤵
        Executes dropped EXE
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        34⤵
        
        PID:340
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        35⤵
        Executes dropped EXE
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        35⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        36⤵
        Executes dropped EXE
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        36⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        37⤵
        Executes dropped EXE
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        37⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        38⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        38⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        39⤵
        Executes dropped EXE
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        39⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        40⤵
        Executes dropped EXE
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        40⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        41⤵
        Executes dropped EXE
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        41⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        42⤵
        Executes dropped EXE
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        42⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        43⤵
        Executes dropped EXE
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        43⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        44⤵
        Executes dropped EXE
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        44⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        45⤵
        Executes dropped EXE
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        45⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        46⤵
        Executes dropped EXE
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        46⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        47⤵
        Executes dropped EXE
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        47⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        48⤵
        Executes dropped EXE
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        48⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        49⤵
        Executes dropped EXE
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        49⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        50⤵
        Executes dropped EXE
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        50⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        51⤵
        Executes dropped EXE
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        51⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        52⤵
        Executes dropped EXE
        
        PID:612
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        52⤵
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        53⤵
        Executes dropped EXE
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        53⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        54⤵
        Executes dropped EXE
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        54⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        55⤵
        Executes dropped EXE
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        55⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        56⤵
        Executes dropped EXE
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        56⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        57⤵
        Executes dropped EXE
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        57⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        58⤵
        Executes dropped EXE
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        58⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        59⤵
        Executes dropped EXE
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        59⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        60⤵
        Executes dropped EXE
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        60⤵
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        61⤵
        Executes dropped EXE
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        61⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        62⤵
        Executes dropped EXE
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        62⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        63⤵
        Executes dropped EXE
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        63⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        64⤵
        Executes dropped EXE
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        64⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        65⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        65⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        66⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        66⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        67⤵
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        67⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        68⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        68⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        69⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        69⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        70⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        70⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        71⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        71⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\Rimess.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
        72⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        72⤵
        
        PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Rimess.exe

Filesize
29KB

MD5
a9ea8b23eb527c0a03541d5f85ec8205

SHA1
49d3357d63f633dd3f85e0b651e230c9b3d496a1

SHA256
41ba6c9a22b82e964837b99b974f6be09009d6f0dfdf32733a1380657ff84e0a

SHA512
9aa39d7f53764080461142ab64c20d75e6a6f62f76c0acee9347341e45ef5217f4bf113671e088eca4dc312bef74b6278adea44fb590ad5abf98d1fa3b800d1a

Download Submit
C:\Windows\System32\Rimess.exe

Filesize
30KB

MD5
76cdbd5ca528f810989e4ccaf2f41a37

SHA1
5082ddba41cfebd186f246ce60b01d7c8a0ba469

SHA256
d33db6a622c58b135f7a7bc5308751687b656cc7006d6d289c8b55292212bde2

SHA512
0c94936a9140da807d20a4a6bfeb2778e7d72081427394a689a6c9140d49ce767044a174e99a686a6e54985028af6694b3489616cb799a04ef5b1c590ee68208

Download Submit
memory/612-153-0x00000000013D0000-0x00000000013DE000-memory.dmp

Filesize
56KB

Download
memory/696-203-0x0000000000060000-0x000000000006E000-memory.dmp

Filesize
56KB

Download
memory/788-197-0x0000000000170000-0x000000000017E000-memory.dmp

Filesize
56KB

Download
memory/844-170-0x00000000012C0000-0x00000000012CE000-memory.dmp

Filesize
56KB

Download
memory/964-169-0x0000000000FA0000-0x0000000000FAE000-memory.dmp

Filesize
56KB

Download
memory/1096-23-0x0000000000090000-0x000000000009E000-memory.dmp

Filesize
56KB

Download
memory/1140-33-0x0000000000C70000-0x0000000000C7E000-memory.dmp

Filesize
56KB

Download
memory/1204-165-0x0000000000B00000-0x0000000000B0E000-memory.dmp

Filesize
56KB

Download
memory/1284-123-0x0000000000CF0000-0x0000000000CFE000-memory.dmp

Filesize
56KB

Download
memory/1376-107-0x00000000000F0000-0x00000000000FE000-memory.dmp

Filesize
56KB

Download
memory/1688-198-0x0000000000870000-0x000000000087E000-memory.dmp

Filesize
56KB

Download
memory/1724-145-0x0000000000BA0000-0x0000000000BAE000-memory.dmp

Filesize
56KB

Download
memory/1728-27-0x0000000000C90000-0x0000000000C9E000-memory.dmp

Filesize
56KB

Download
memory/1772-202-0x0000000000800000-0x000000000080E000-memory.dmp

Filesize
56KB

Download
memory/1876-141-0x0000000000AE0000-0x0000000000AEE000-memory.dmp

Filesize
56KB

Download
memory/1876-97-0x00000000001F0000-0x00000000001FE000-memory.dmp

Filesize
56KB

Download
memory/1880-174-0x00000000012E0000-0x00000000012EE000-memory.dmp

Filesize
56KB

Download
memory/1908-157-0x0000000000B10000-0x0000000000B1E000-memory.dmp

Filesize
56KB

Download
memory/2076-189-0x00000000009D0000-0x00000000009DE000-memory.dmp

Filesize
56KB

Download
memory/2080-59-0x0000000000370000-0x000000000037E000-memory.dmp

Filesize
56KB

Download
memory/2096-129-0x0000000000DB0000-0x0000000000DBE000-memory.dmp

Filesize
56KB

Download
memory/2096-182-0x00000000011E0000-0x00000000011EE000-memory.dmp

Filesize
56KB

Download
memory/2176-193-0x0000000000330000-0x000000000033E000-memory.dmp

Filesize
56KB

Download
memory/2208-135-0x0000000000F70000-0x0000000000F7E000-memory.dmp

Filesize
56KB

Download
memory/2236-178-0x0000000000FB0000-0x0000000000FBE000-memory.dmp

Filesize
56KB

Download
memory/2260-45-0x0000000000300000-0x000000000030E000-memory.dmp

Filesize
56KB

Download
memory/2332-208-0x0000000000D70000-0x0000000000D7E000-memory.dmp

Filesize
56KB

Download
memory/2512-149-0x00000000008B0000-0x00000000008BE000-memory.dmp

Filesize
56KB

Download
memory/2532-47-0x0000000000940000-0x000000000094E000-memory.dmp

Filesize
56KB

Download
memory/2592-212-0x0000000000C20000-0x0000000000C2E000-memory.dmp

Filesize
56KB

Download
memory/2668-16-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2668-15-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/2708-161-0x0000000000AD0000-0x0000000000ADE000-memory.dmp

Filesize
56KB

Download
memory/2788-8-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2788-1-0x0000000000D90000-0x0000000000E06000-memory.dmp

Filesize
472KB

Download
memory/2788-0-0x000007FEF53F3000-0x000007FEF53F4000-memory.dmp

Filesize
4KB

Download
memory/2844-9-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2844-24-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2844-7-0x00000000003E0000-0x00000000003EE000-memory.dmp

Filesize
56KB

Download
memory/2856-216-0x0000000000F40000-0x0000000000F4E000-memory.dmp

Filesize
56KB

Download
memory/2936-39-0x0000000000150000-0x000000000015E000-memory.dmp

Filesize
56KB

Download
memory/2952-83-0x0000000000FE0000-0x0000000000FEE000-memory.dmp

Filesize
56KB

Download
memory/2952-204-0x0000000000D30000-0x0000000000D3E000-memory.dmp

Filesize
56KB

Download
memory/2952-53-0x0000000000E00000-0x0000000000E0E000-memory.dmp

Filesize
56KB

Download
memory/3000-117-0x0000000001190000-0x000000000119E000-memory.dmp

Filesize
56KB

Download
memory/3000-220-0x0000000000FD0000-0x0000000000FDE000-memory.dmp

Filesize
56KB

Download
memory/3032-65-0x0000000000D90000-0x0000000000D9E000-memory.dmp

Filesize
56KB

Download