xworm | eda0f45bf7e42ea80b3140d490ffcdd773f35d48bcb4ee9babc76f67afd7b8f6

Analysis

max time kernel
50s
max time network
52s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
24-01-2025 22:46

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

MoonCrypter1.rar
Size

1.7MB
MD5

760b8ccf814fde6524ceffc5f97421d8
SHA1

22d79221917fd211a42f923aa5a94ba72c749e75
SHA256

eda0f45bf7e42ea80b3140d490ffcdd773f35d48bcb4ee9babc76f67afd7b8f6
SHA512

41ddaee104d4bfad95686193564c4122dae026d5f3b86fb3fb536d09fc43301c306632bafb695c543b6cd3838bca080feecba23f75b46820e33e6df66724d3ea
SSDEEP

24576:sxO9XOv3bdt1fMY5LJgYOeD82y7UhPIsamtMQ1dVExVwYs5YDGrVEfHm16OUdo1U:IfbjEzezyC+srEzJJOEfg6OUPSR8T

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

193.123.88.61:4444

Mutex

1cAjmT6r87cbZXRe

Attributes

Install_directory
%AppData%
install_file
host.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00280000000461b8-90.dat	family_xworm
behavioral1/memory/3880-93-0x0000000000B70000-0x0000000000B80000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
876	powershell.exe
1752	powershell.exe
2368	powershell.exe
1176	powershell.exe
3952	powershell.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation	moon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation	fixer1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation	MoonCrypter1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation	Windows Services.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Startup.lnk	Launcher.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\host.lnk	moon.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\host.lnk	moon.exe

Executes dropped EXE 9 IoCs

pid	Process
1020	fixer1.exe
4972	MoonCrypter1.exe
948	Launcher.exe
2508	mce.exe
4876	MoonCrypter.exe
3880	moon.exe
3424	Windows Services.exe
3744	Secure System Shell.exe
2808	Runtime Explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
948	Launcher.exe
948	Launcher.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Explorer = "C:\\Windows\\IMF\\\\Windows Services.exe"	Launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\host = "C:\\Users\\Admin\\AppData\\Roaming\\host.exe"	moon.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\IMF\Runtime Explorer.exe.tmp	Launcher.exe
File opened for modification	C:\Windows\IMF\Runtime Explorer.exe	Launcher.exe
File created	C:\Windows\IMF\LICENCE.zip	Launcher.exe
File created	C:\Windows\IMF\LICENCE.dat	Launcher.exe
File created	C:\Windows\IMF\Secure System Shell.exe.tmp	Launcher.exe
File opened for modification	C:\Windows\IMF\Secure System Shell.exe	Launcher.exe
File created	C:\Windows\IMF\Windows Services.exe.tmp	Launcher.exe
File opened for modification	C:\Windows\IMF\Windows Services.exe	Launcher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fixer1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MoonCrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Secure System Shell.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "196"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
948	Launcher.exe
2368	powershell.exe
2368	powershell.exe
3424	Windows Services.exe
3424	Windows Services.exe
3424	Windows Services.exe
3424	Windows Services.exe
3424	Windows Services.exe
3744	Secure System Shell.exe
3744	Secure System Shell.exe
1176	powershell.exe
1176	powershell.exe
1176	powershell.exe
3952	powershell.exe
3952	powershell.exe
3952	powershell.exe
876	powershell.exe
876	powershell.exe
876	powershell.exe
1752	powershell.exe
1752	powershell.exe
1752	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
236	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	236	7zFM.exe
Token: 35	236	7zFM.exe
Token: SeSecurityPrivilege	236	7zFM.exe
Token: SeDebugPrivilege	1020	fixer1.exe
Token: SeDebugPrivilege	4972	MoonCrypter1.exe
Token: SeDebugPrivilege	948	Launcher.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	3880	moon.exe
Token: 33	1104	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1104	AUDIODG.EXE
Token: SeDebugPrivilege	3424	Windows Services.exe
Token: SeIncreaseQuotaPrivilege	2368	powershell.exe
Token: SeSecurityPrivilege	2368	powershell.exe
Token: SeTakeOwnershipPrivilege	2368	powershell.exe
Token: SeLoadDriverPrivilege	2368	powershell.exe
Token: SeSystemProfilePrivilege	2368	powershell.exe
Token: SeSystemtimePrivilege	2368	powershell.exe
Token: SeProfSingleProcessPrivilege	2368	powershell.exe
Token: SeIncBasePriorityPrivilege	2368	powershell.exe
Token: SeCreatePagefilePrivilege	2368	powershell.exe
Token: SeBackupPrivilege	2368	powershell.exe
Token: SeRestorePrivilege	2368	powershell.exe
Token: SeShutdownPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeSystemEnvironmentPrivilege	2368	powershell.exe
Token: SeRemoteShutdownPrivilege	2368	powershell.exe
Token: SeUndockPrivilege	2368	powershell.exe
Token: SeManageVolumePrivilege	2368	powershell.exe
Token: 33	2368	powershell.exe
Token: 34	2368	powershell.exe
Token: 35	2368	powershell.exe
Token: 36	2368	powershell.exe
Token: SeDebugPrivilege	3744	Secure System Shell.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeIncreaseQuotaPrivilege	1176	powershell.exe
Token: SeSecurityPrivilege	1176	powershell.exe
Token: SeTakeOwnershipPrivilege	1176	powershell.exe
Token: SeLoadDriverPrivilege	1176	powershell.exe
Token: SeSystemProfilePrivilege	1176	powershell.exe
Token: SeSystemtimePrivilege	1176	powershell.exe
Token: SeProfSingleProcessPrivilege	1176	powershell.exe
Token: SeIncBasePriorityPrivilege	1176	powershell.exe
Token: SeCreatePagefilePrivilege	1176	powershell.exe
Token: SeBackupPrivilege	1176	powershell.exe
Token: SeRestorePrivilege	1176	powershell.exe
Token: SeShutdownPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeSystemEnvironmentPrivilege	1176	powershell.exe
Token: SeRemoteShutdownPrivilege	1176	powershell.exe
Token: SeUndockPrivilege	1176	powershell.exe
Token: SeManageVolumePrivilege	1176	powershell.exe
Token: 33	1176	powershell.exe
Token: 34	1176	powershell.exe
Token: 35	1176	powershell.exe
Token: 36	1176	powershell.exe
Token: SeDebugPrivilege	3952	powershell.exe
Token: SeIncreaseQuotaPrivilege	3952	powershell.exe
Token: SeSecurityPrivilege	3952	powershell.exe
Token: SeTakeOwnershipPrivilege	3952	powershell.exe
Token: SeLoadDriverPrivilege	3952	powershell.exe
Token: SeSystemProfilePrivilege	3952	powershell.exe
Token: SeSystemtimePrivilege	3952	powershell.exe
Token: SeProfSingleProcessPrivilege	3952	powershell.exe
Token: SeIncBasePriorityPrivilege	3952	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
236	7zFM.exe
236	7zFM.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2808	Runtime Explorer.exe
5116	LogonUI.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 948	1020	fixer1.exe	95
PID 1020 wrote to memory of 948	1020	fixer1.exe	95
PID 1020 wrote to memory of 948	1020	fixer1.exe	95
PID 948 wrote to memory of 2368	948	Launcher.exe	97
PID 948 wrote to memory of 2368	948	Launcher.exe	97
PID 948 wrote to memory of 2368	948	Launcher.exe	97
PID 1020 wrote to memory of 2508	1020	fixer1.exe	99
PID 1020 wrote to memory of 2508	1020	fixer1.exe	99
PID 4972 wrote to memory of 4876	4972	MoonCrypter1.exe	100
PID 4972 wrote to memory of 4876	4972	MoonCrypter1.exe	100
PID 4972 wrote to memory of 4876	4972	MoonCrypter1.exe	100
PID 4972 wrote to memory of 3880	4972	MoonCrypter1.exe	101
PID 4972 wrote to memory of 3880	4972	MoonCrypter1.exe	101
PID 948 wrote to memory of 3424	948	Launcher.exe	103
PID 948 wrote to memory of 3424	948	Launcher.exe	103
PID 948 wrote to memory of 3424	948	Launcher.exe	103
PID 3424 wrote to memory of 3744	3424	Windows Services.exe	105
PID 3424 wrote to memory of 3744	3424	Windows Services.exe	105
PID 3424 wrote to memory of 3744	3424	Windows Services.exe	105
PID 3424 wrote to memory of 2808	3424	Windows Services.exe	106
PID 3424 wrote to memory of 2808	3424	Windows Services.exe	106
PID 3424 wrote to memory of 2808	3424	Windows Services.exe	106
PID 3880 wrote to memory of 1176	3880	moon.exe	108
PID 3880 wrote to memory of 1176	3880	moon.exe	108
PID 3880 wrote to memory of 3952	3880	moon.exe	110
PID 3880 wrote to memory of 3952	3880	moon.exe	110
PID 3880 wrote to memory of 876	3880	moon.exe	113
PID 3880 wrote to memory of 876	3880	moon.exe	113
PID 3880 wrote to memory of 1752	3880	moon.exe	116
PID 3880 wrote to memory of 1752	3880	moon.exe	116
PID 3880 wrote to memory of 2240	3880	moon.exe	119
PID 3880 wrote to memory of 2240	3880	moon.exe	119

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\MoonCrypter1.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:236

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3768

C:\Users\Admin\Desktop\MoonCrypter\fixer1.exe
"C:\Users\Admin\Desktop\MoonCrypter\fixer1.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Users\Admin\Desktop\MoonCrypter\Jint\Launcher.exe
  "C:\Users\Admin\Desktop\MoonCrypter\Jint\Launcher.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2368
- - C:\Windows\IMF\Windows Services.exe
    "C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3424
  - - C:\Windows\IMF\Secure System Shell.exe
      "C:\Windows\IMF\Secure System Shell.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3744
  - - C:\Windows\IMF\Runtime Explorer.exe
      "C:\Windows\IMF\Runtime Explorer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2808
- C:\Users\Admin\Desktop\MoonCrypter\Jint\mce.exe
  "C:\Users\Admin\Desktop\MoonCrypter\Jint\mce.exe"
  2⤵
  - Executes dropped EXE
  PID:2508

C:\Users\Admin\Desktop\MoonCrypter\MoonCrypter1.exe
"C:\Users\Admin\Desktop\MoonCrypter\MoonCrypter1.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Users\Admin\AppData\Local\Temp\MoonCrypter.exe
  "C:\Users\Admin\AppData\Local\Temp\MoonCrypter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4876
- C:\Users\Admin\AppData\Local\Temp\moon.exe
  "C:\Users\Admin\AppData\Local\Temp\moon.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\moon.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'moon.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\host.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'host.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1752
- - C:\Windows\SYSTEM32\shutdown.exe
    shutdown.exe /f /s /t 0
    3⤵
    PID:2240

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f0 0x4e8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a2f055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
32715d5f68bd0b61fe4cf746fc8cbec5

SHA1
747bdd25bbaaeca3fef2e9bba1d92120c2674068

SHA256
919c2dbbf33e8f57435c4a806088f358889c396a7cb754f79d746a8e0cd38e47

SHA512
c354b69a6ecc3c8a086340f3fd8f42fd05731bb78fed6dc58479f72ae39e38333ec2c90e1c748745e8480dbeb079d6ad5813ce2c87d048ae8eb982c4949f29cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
730d375c503ac7775813330efd853380

SHA1
300c1b9ab4fb1434c3d8707309794bdd972717d2

SHA256
bc155a091781a76ef6811cf536a50729729fcf645f4232107072178ad186c5ab

SHA512
ce04a25ef018692dbc125433d00416badf2a9084d536dd83f8040bfcbac96f7f947ae5d13f147337aa96164553f050a9398ee369a7681f24cadc6b194e8a4f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dece17e8b3d1cc0b29cf5a977b68730e

SHA1
e24e56624c7701b349a5a07642e9b9d902196f55

SHA256
1f78459e977340a708884f6f42099ad6914a855ee98cba6c09bbb2b56dbaa908

SHA512
8a966a00209f43ebc4051c3433aa12ce4e9a2f85acfb428f87fc7fd222549085c115df2372cbc29836a926950a38400a68e29c6f89c8f237a14c7833a92eb8a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7b2e67a7468611a6f7425dbd52eb5e55

SHA1
a3b4bb9a4debc922ba0451cdaf7cdeb4352feb6b

SHA256
e5c94e21876312255c23693aaa78b95850b5dc4ed7824d875f285729540fc324

SHA512
8531c461301768e4e3a7aed0a972c46ebec966540d2d71a1d79225c282727095bc6776f16e73678656351c416c5c3646190bbc156078e5eb140a92598e9eb3ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoonCrypter.exe

Filesize
191KB

MD5
24bd0c210794c566995f58dd1ea5d542

SHA1
890f5936f00948e77d766b8e200d6a9a210b1032

SHA256
d60d3dfdc76f15f7891d8f437b07a20567f4face48ae22e4b816b2bd44f6a5ba

SHA512
978338f90d3ce30b64d1f745a1ba477b42285f0e3a5409d3537a174f7211751e8edb4c056226f4af27c44ad8cbc6e9c95289efabd1540f7b31605b91df952d65

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jpj3nvdy.ttb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\moon.exe

Filesize
39KB

MD5
a980d2576c2540587333143dafc4fef4

SHA1
432352d8571bd6d345c8b931e19bef818f324cfe

SHA256
3ade47aed888d5099ba50ba655cbf909756367b12537b2fba6d0d7d3690e803a

SHA512
d7b67aa3ce5d5bddfb5929262ee3e64877600297cf423d90c101c8b7803687861b9668b112f17f4dee94d1701b0ee70ecf05972b810d37f8ca8a51a8055d19f9

Download Submit
C:\Users\Admin\Desktop\MoonCrypter\Jint\Ionic.Zip.dll

Filesize
480KB

MD5
f6933bf7cee0fd6c80cdf207ff15a523

SHA1
039eeb1169e1defe387c7d4ca4021bce9d11786d

SHA256
17bb0c9be45289a2be56a5f5a68ec9891d7792b886e0054bc86d57fe84d01c89

SHA512
88675512daa41e17ce4daf6ca764ccb17cd9633a7c2b7545875089cae60f6918909a947f3b1692d16ec5fa209e18e84bc0ff3594f72c3e677a6cca9f3a70b8d6

Download Submit
C:\Users\Admin\Desktop\MoonCrypter\Jint\LICENCE.dat

Filesize
73KB

MD5
5ac57bee6febd79c760a08a6f4fbda37

SHA1
fc9646f500d3d197932a890544081dfa05c00214

SHA256
59a2f1e7e29689f58536f505b5479cbbef9d3e8e0a7ebfaa41dfb434f4667dea

SHA512
9b424abc0b94598c7b35ba6398a0b4a21c6b4a32de31bab43af259af3cbdb407592d0eaff25c29d6a3def645e7e455b50375eb7ab3161bb64ea8ae5d9b48d65a

Download Submit
C:\Users\Admin\Desktop\MoonCrypter\Jint\Launcher.exe

Filesize
53KB

MD5
c6d4c881112022eb30725978ecd7c6ec

SHA1
ba4f96dc374195d873b3eebdb28b633d9a1c5bf5

SHA256
0d87b9b141a592711c52e7409ec64de3ab296cddc890be761d9af57cea381b32

SHA512
3bece10b65dfda69b6defbf50d067a59d1cd1db403547fdf28a4cbc87c4985a4636acfcff8300bd77fb91f2693084634d940a91517c33b5425258835ab990981

Download Submit
C:\Users\Admin\Desktop\MoonCrypter\Jint\mce.exe

Filesize
253KB

MD5
0ec3da715b4dd0c38c00d5102dbcc6c6

SHA1
8f94bdd39e48e894d01cc418059288ab0b9fd7ce

SHA256
cd24da6a58712ffa1c42790226d2dbcbd4a223e14d001c97e4031170d3ef6a99

SHA512
a3b9aff7c374accb0d079104bbf73889c8b0c9c14cbabbf97265048c944efb89cc5b9340fab8e80607e8863d32cec6908d01d079414c4bc69a09301485464232

Download Submit
C:\Users\Admin\Desktop\MoonCrypter\MoonCrypter1.exe

Filesize
582KB

MD5
fe33fb1a059475fe19f07437098c391c

SHA1
bf4a0cc782156a44a27c7e9ea1e4297be926a597

SHA256
fc70565765ef8ca0f63b63aab261ebff53d1f110bd8da460720099b779832283

SHA512
c8117a6cd0e956d2ff82143621a320ebf7ff38f67a4cb64f9e294c341806757a4a0549e869c16d90c0d48ebd6262befd62411af9cacc19121b25ee5532e6d079

Download Submit
C:\Users\Admin\Desktop\MoonCrypter\fixer1.exe

Filesize
510KB

MD5
696be443d22e8435a3649313ce100c66

SHA1
3213e88a7accb1002f67770f3f972fb19f2da7de

SHA256
1f7561c08f10f443c953fe4292bbc3e69e739f9c61e426fba4c210de423f1ddb

SHA512
b15e57b35cd7ea49b288103a327cd7fce80494f05d048b9ae909647f5f4f3acbb4b25495e48375bf6f7191f39b7dd941a098a914d281687847996c37a288424d

Download Submit
C:\Windows\IMF\Runtime Explorer.exe

Filesize
144KB

MD5
5ea4ee24f01613f1bd403312c46b9ec9

SHA1
3d76201186437c8e0daba0ee37472fe3c4ef546d

SHA256
c81755fe990f1b023bf9b88eed4856c088755af050ea4627ed081a8203f03472

SHA512
73b0cc6d49db601b50a5c89b4b0f083a69efd6ff063edc03c93cac16c104173b8a1d172279e88f8a1b17b3b56f27a9fe6f207fde51729292cbacb272c75c8f53

Download Submit
C:\Windows\IMF\Secure System Shell.exe

Filesize
45KB

MD5
7d0c7359e5b2daa5665d01afdc98cc00

SHA1
c3cc830c8ffd0f53f28d89dcd9f3426be87085cb

SHA256
f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809

SHA512
a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407

Download Submit
C:\Windows\IMF\Windows Services.exe

Filesize
46KB

MD5
ad0ce1302147fbdfecaec58480eb9cf9

SHA1
874efbc76e5f91bc1425a43ea19400340f98d42b

SHA256
2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3

SHA512
adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53

Download Submit
memory/948-32-0x0000000000E40000-0x0000000000E54000-memory.dmp

Filesize
80KB

Download
memory/948-36-0x0000000005E70000-0x0000000005EEE000-memory.dmp

Filesize
504KB

Download
memory/948-129-0x00000000073A0000-0x0000000007416000-memory.dmp

Filesize
472KB

Download
memory/948-132-0x0000000007380000-0x000000000739E000-memory.dmp

Filesize
120KB

Download
memory/1020-20-0x0000000005080000-0x000000000511C000-memory.dmp

Filesize
624KB

Download
memory/1020-21-0x0000000074930000-0x00000000750E1000-memory.dmp

Filesize
7.7MB

Download
memory/1020-22-0x0000000074930000-0x00000000750E1000-memory.dmp

Filesize
7.7MB

Download
memory/1020-55-0x0000000074930000-0x00000000750E1000-memory.dmp

Filesize
7.7MB

Download
memory/1020-19-0x00000000005F0000-0x0000000000676000-memory.dmp

Filesize
536KB

Download
memory/1020-18-0x000000007493E000-0x000000007493F000-memory.dmp

Filesize
4KB

Download
memory/1020-23-0x0000000005A50000-0x0000000005FF6000-memory.dmp

Filesize
5.6MB

Download
memory/1020-24-0x00000000051E0000-0x0000000005272000-memory.dmp

Filesize
584KB

Download
memory/1020-25-0x0000000005190000-0x000000000519A000-memory.dmp

Filesize
40KB

Download
memory/1020-26-0x00000000052E0000-0x0000000005336000-memory.dmp

Filesize
344KB

Download
memory/1176-163-0x0000025F1B080000-0x0000025F1B0A2000-memory.dmp

Filesize
136KB

Download
memory/2368-150-0x00000000075D0000-0x00000000075DA000-memory.dmp

Filesize
40KB

Download
memory/2368-130-0x0000000007BC0000-0x000000000823A000-memory.dmp

Filesize
6.5MB

Download
memory/2368-45-0x0000000005B40000-0x0000000005BA6000-memory.dmp

Filesize
408KB

Download
memory/2368-38-0x0000000005330000-0x00000000059FA000-memory.dmp

Filesize
6.8MB

Download
memory/2368-95-0x000000006F730000-0x000000006F77C000-memory.dmp

Filesize
304KB

Download
memory/2368-105-0x0000000007410000-0x000000000742E000-memory.dmp

Filesize
120KB

Download
memory/2368-94-0x00000000073B0000-0x00000000073E2000-memory.dmp

Filesize
200KB

Download
memory/2368-106-0x0000000007440000-0x00000000074E3000-memory.dmp

Filesize
652KB

Download
memory/2368-46-0x0000000005C20000-0x0000000005C86000-memory.dmp

Filesize
408KB

Download
memory/2368-37-0x0000000004BC0000-0x0000000004BF6000-memory.dmp

Filesize
216KB

Download
memory/2368-52-0x0000000005E30000-0x0000000006187000-memory.dmp

Filesize
3.3MB

Download
memory/2368-56-0x0000000006200000-0x000000000621E000-memory.dmp

Filesize
120KB

Download
memory/2368-152-0x00000000077E0000-0x0000000007876000-memory.dmp

Filesize
600KB

Download
memory/2368-39-0x0000000005A90000-0x0000000005AB2000-memory.dmp

Filesize
136KB

Download
memory/2368-131-0x0000000007570000-0x000000000758A000-memory.dmp

Filesize
104KB

Download
memory/2368-57-0x00000000062B0000-0x00000000062FC000-memory.dmp

Filesize
304KB

Download
memory/2508-58-0x000000001BB50000-0x000000001BBF6000-memory.dmp

Filesize
664KB

Download
memory/2508-59-0x000000001C0D0000-0x000000001C59E000-memory.dmp

Filesize
4.8MB

Download
memory/2508-60-0x000000001C640000-0x000000001C6DC000-memory.dmp

Filesize
624KB

Download
memory/2508-61-0x00000000014E0000-0x00000000014E8000-memory.dmp

Filesize
32KB

Download
memory/2508-62-0x000000001C7E0000-0x000000001C82C000-memory.dmp

Filesize
304KB

Download
memory/3424-151-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/3744-156-0x0000000000D30000-0x0000000000D42000-memory.dmp

Filesize
72KB

Download
memory/3880-93-0x0000000000B70000-0x0000000000B80000-memory.dmp

Filesize
64KB

Download
memory/3880-213-0x0000000001370000-0x000000000137C000-memory.dmp

Filesize
48KB

Download
memory/4876-92-0x0000000000930000-0x0000000000966000-memory.dmp

Filesize
216KB

Download
memory/4972-29-0x0000000000E70000-0x0000000000F08000-memory.dmp

Filesize
608KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads