Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10MoonXCrypter.exe
windows7-x64
10MoonXCrypter.exe
windows10-2004-x64
10plugins/Cm...ss.dll
windows7-x64
1plugins/Cm...ss.dll
windows10-2004-x64
1plugins/Crypter.dll
windows7-x64
1plugins/Crypter.dll
windows10-2004-x64
1plugins/HRDP.dll
windows7-x64
1plugins/HRDP.dll
windows10-2004-x64
1plugins/Options.dll
windows7-x64
1plugins/Options.dll
windows10-2004-x64
1plugins/Pe...ce.dll
windows7-x64
1plugins/Pe...ce.dll
windows10-2004-x64
1plugins/Pr...er.dll
windows7-x64
1plugins/Pr...er.dll
windows10-2004-x64
1plugins/Programs.dll
windows7-x64
1plugins/Programs.dll
windows10-2004-x64
1plugins/Ra...re.dll
windows7-x64
1plugins/Ra...re.dll
windows10-2004-x64
1plugins/Recovery.dll
windows7-x64
1plugins/Recovery.dll
windows10-2004-x64
1plugins/RunPE.dll
windows7-x64
1plugins/RunPE.dll
windows10-2004-x64
1plugins/Se...er.dll
windows7-x64
1plugins/Se...er.dll
windows10-2004-x64
1plugins/St...er.dll
windows7-x64
1plugins/St...er.dll
windows10-2004-x64
1plugins/TC...ns.dll
windows7-x64
1plugins/TC...ns.dll
windows10-2004-x64
1Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
28/01/2025, 12:42
Behavioral task
behavioral1
Sample
MoonXCrypter.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
MoonXCrypter.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
plugins/Cmstp-Bypass.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
plugins/Cmstp-Bypass.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
plugins/Crypter.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
plugins/Crypter.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
plugins/HRDP.dll
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
plugins/HRDP.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
plugins/Options.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
plugins/Options.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
plugins/Performance.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
plugins/Performance.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
plugins/ProcessManager.dll
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
plugins/ProcessManager.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
plugins/Programs.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
plugins/Programs.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
plugins/Ransomware.dll
Resource
win7-20241023-en
Behavioral task
behavioral18
Sample
plugins/Ransomware.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
plugins/Recovery.dll
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
plugins/Recovery.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
plugins/RunPE.dll
Resource
win7-20241010-en
Behavioral task
behavioral22
Sample
plugins/RunPE.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
plugins/ServiceManager.dll
Resource
win7-20240729-en
Behavioral task
behavioral24
Sample
plugins/ServiceManager.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
plugins/StartupManager.dll
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
plugins/StartupManager.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
plugins/TCPConnections.dll
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
plugins/TCPConnections.dll
Resource
win10v2004-20241007-en
General
-
Target
MoonXCrypter.exe
-
Size
7.1MB
-
MD5
8bd4830859e6d4ff593fd12689dd6c5f
-
SHA1
b32174b222cdd84854838d5b31796d8e05fc430d
-
SHA256
6bc29cb0c807de07a6d2b753691b03e13cb7b267ba4b24a3de567d65ab955207
-
SHA512
4546f43380be8e82d21bca9310769a7b18a7c6eac4cb3f2b39435bdf6c418cacb58706bb6db7ba770af54bb4dec5ee99e105528d5c165fad1bb26838532716d2
-
SSDEEP
98304:6jColtmW0fKeUzknPsi9rWlZroXKeWe54DzqGnl/Vxwt2camJ14lYWVDlx/BDyvq:6Plj0hUi9rWrQboqGnlNrS4lYqXJyi
Malware Config
Extracted
xworm
5.0
sQz0RaHau8Jp14Tf
-
Install_directory
%AppData%
-
install_file
msedge.exe
-
pastebin_url
https://pastebin.com/raw/bQJb81hE
-
telegram
https://api.telegram.org/bot7608996644:AAGLvUjQra1pbtl0EeonQB0HIhDkLvQXGHM/sendMessage?chat_id=7750016553
Signatures
-
Detect Xworm Payload 10 IoCs
resource yara_rule behavioral1/files/0x000c00000001202c-6.dat family_xworm behavioral1/memory/2768-10-0x0000000000140000-0x000000000016E000-memory.dmp family_xworm behavioral1/files/0x0006000000016d77-11.dat family_xworm behavioral1/files/0x0006000000016d9f-15.dat family_xworm behavioral1/memory/2876-18-0x0000000000920000-0x0000000000948000-memory.dmp family_xworm behavioral1/memory/2820-19-0x0000000000DD0000-0x0000000000DFC000-memory.dmp family_xworm behavioral1/memory/2068-126-0x0000000001030000-0x000000000105E000-memory.dmp family_xworm behavioral1/memory/1628-128-0x00000000000B0000-0x00000000000D8000-memory.dmp family_xworm behavioral1/memory/888-132-0x0000000000AC0000-0x0000000000AE8000-memory.dmp family_xworm behavioral1/memory/1856-133-0x00000000010E0000-0x000000000110E000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2336 powershell.exe 668 powershell.exe 2720 powershell.exe 3004 powershell.exe 876 powershell.exe 2744 powershell.exe 868 powershell.exe 824 powershell.exe -
Drops startup file 6 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk msedge.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk msedge.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk OneDrive.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk OneDrive.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Update.lnk Chrome Update.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Update.lnk Chrome Update.exe -
Executes dropped EXE 49 IoCs
pid Process 2768 msedge.exe 2820 Chrome Update.exe 2876 OneDrive.exe 2736 msedge.exe 2500 Chrome Update.exe 2492 OneDrive.exe 2872 msedge.exe 692 Chrome Update.exe 2172 OneDrive.exe 2144 msedge.exe 1048 Chrome Update.exe 1728 OneDrive.exe 1472 msedge.exe 2860 OneDrive.exe 2728 Chrome Update.exe 2252 msedge.exe 1956 Chrome Update.exe 840 OneDrive.exe 1020 msedge.exe 2640 Chrome Update.exe 2080 OneDrive.exe 1540 msedge.exe 1980 Chrome Update.exe 1420 OneDrive.exe 1720 msedge.exe 952 Chrome Update.exe 2000 OneDrive.exe 844 msedge.exe 1584 Chrome Update.exe 2212 OneDrive.exe 2364 msedge.exe 1508 OneDrive.exe 2032 Chrome Update.exe 2712 msedge.exe 2676 Chrome Update.exe 2920 OneDrive.exe 2844 Chrome Update.exe 1384 msedge.exe 3056 OneDrive.exe 988 msedge.exe 1772 Chrome Update.exe 1680 OneDrive.exe 2100 Chrome Update.exe 2656 msedge.exe 1708 OneDrive.exe 1628 OneDrive.exe 2068 msedge.exe 888 OneDrive.exe 1856 msedge.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\OneDrive.exe" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome Update = "C:\\Users\\Admin\\AppData\\Roaming\\Chrome Update.exe" Chrome Update.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs
flow ioc 78 pastebin.com 108 pastebin.com 120 pastebin.com 45 pastebin.com 51 pastebin.com 64 pastebin.com 65 pastebin.com 137 pastebin.com 71 pastebin.com 100 pastebin.com 105 pastebin.com 122 pastebin.com 116 pastebin.com 121 pastebin.com 128 pastebin.com 35 pastebin.com 68 pastebin.com 79 pastebin.com 114 pastebin.com 66 pastebin.com 75 pastebin.com 91 pastebin.com 113 pastebin.com 136 pastebin.com 56 pastebin.com 96 pastebin.com 7 pastebin.com 10 pastebin.com 19 pastebin.com 53 pastebin.com 99 pastebin.com 8 pastebin.com 39 pastebin.com 55 pastebin.com 60 pastebin.com 59 pastebin.com 72 pastebin.com 85 pastebin.com 109 pastebin.com 130 pastebin.com 134 pastebin.com 6 pastebin.com 21 pastebin.com 67 pastebin.com 103 pastebin.com 74 pastebin.com 104 pastebin.com 9 pastebin.com 11 pastebin.com 34 pastebin.com 38 pastebin.com 58 pastebin.com 61 pastebin.com 84 pastebin.com 129 pastebin.com 15 pastebin.com 47 pastebin.com 49 pastebin.com 50 pastebin.com 29 pastebin.com 57 pastebin.com 131 pastebin.com 48 pastebin.com 92 pastebin.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2132 schtasks.exe 236 schtasks.exe 1140 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 824 powershell.exe 2336 powershell.exe 668 powershell.exe 2720 powershell.exe 876 powershell.exe 3004 powershell.exe 2744 powershell.exe 868 powershell.exe -
Suspicious use of AdjustPrivilegeToken 57 IoCs
description pid Process Token: SeDebugPrivilege 2768 msedge.exe Token: SeDebugPrivilege 2876 OneDrive.exe Token: SeDebugPrivilege 2820 Chrome Update.exe Token: SeDebugPrivilege 2736 msedge.exe Token: SeDebugPrivilege 2492 OneDrive.exe Token: SeDebugPrivilege 2500 Chrome Update.exe Token: SeDebugPrivilege 692 Chrome Update.exe Token: SeDebugPrivilege 2872 msedge.exe Token: SeDebugPrivilege 2172 OneDrive.exe Token: SeDebugPrivilege 1048 Chrome Update.exe Token: SeDebugPrivilege 2144 msedge.exe Token: SeDebugPrivilege 1728 OneDrive.exe Token: SeDebugPrivilege 2728 Chrome Update.exe Token: SeDebugPrivilege 1472 msedge.exe Token: SeDebugPrivilege 2860 OneDrive.exe Token: SeDebugPrivilege 1956 Chrome Update.exe Token: SeDebugPrivilege 2252 msedge.exe Token: SeDebugPrivilege 840 OneDrive.exe Token: SeDebugPrivilege 1020 msedge.exe Token: SeDebugPrivilege 2640 Chrome Update.exe Token: SeDebugPrivilege 2080 OneDrive.exe Token: SeDebugPrivilege 1540 msedge.exe Token: SeDebugPrivilege 1980 Chrome Update.exe Token: SeDebugPrivilege 1420 OneDrive.exe Token: SeDebugPrivilege 952 Chrome Update.exe Token: SeDebugPrivilege 1720 msedge.exe Token: SeDebugPrivilege 2000 OneDrive.exe Token: SeDebugPrivilege 844 msedge.exe Token: SeDebugPrivilege 1584 Chrome Update.exe Token: SeDebugPrivilege 2212 OneDrive.exe Token: SeDebugPrivilege 2364 msedge.exe Token: SeDebugPrivilege 824 powershell.exe Token: SeDebugPrivilege 2336 powershell.exe Token: SeDebugPrivilege 1508 OneDrive.exe Token: SeDebugPrivilege 2032 Chrome Update.exe Token: SeDebugPrivilege 2676 Chrome Update.exe Token: SeDebugPrivilege 2712 msedge.exe Token: SeDebugPrivilege 2920 OneDrive.exe Token: SeDebugPrivilege 668 powershell.exe Token: SeDebugPrivilege 1384 msedge.exe Token: SeDebugPrivilege 3056 OneDrive.exe Token: SeDebugPrivilege 2844 Chrome Update.exe Token: SeDebugPrivilege 2720 powershell.exe Token: SeDebugPrivilege 988 msedge.exe Token: SeDebugPrivilege 1680 OneDrive.exe Token: SeDebugPrivilege 1772 Chrome Update.exe Token: SeDebugPrivilege 2100 Chrome Update.exe Token: SeDebugPrivilege 2656 msedge.exe Token: SeDebugPrivilege 1708 OneDrive.exe Token: SeDebugPrivilege 876 powershell.exe Token: SeDebugPrivilege 3004 powershell.exe Token: SeDebugPrivilege 2744 powershell.exe Token: SeDebugPrivilege 868 powershell.exe Token: SeDebugPrivilege 2068 msedge.exe Token: SeDebugPrivilege 1628 OneDrive.exe Token: SeDebugPrivilege 888 OneDrive.exe Token: SeDebugPrivilege 1856 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2952 wrote to memory of 2768 2952 MoonXCrypter.exe 30 PID 2952 wrote to memory of 2768 2952 MoonXCrypter.exe 30 PID 2952 wrote to memory of 2768 2952 MoonXCrypter.exe 30 PID 2952 wrote to memory of 2820 2952 MoonXCrypter.exe 31 PID 2952 wrote to memory of 2820 2952 MoonXCrypter.exe 31 PID 2952 wrote to memory of 2820 2952 MoonXCrypter.exe 31 PID 2952 wrote to memory of 2876 2952 MoonXCrypter.exe 32 PID 2952 wrote to memory of 2876 2952 MoonXCrypter.exe 32 PID 2952 wrote to memory of 2876 2952 MoonXCrypter.exe 32 PID 2952 wrote to memory of 2064 2952 MoonXCrypter.exe 33 PID 2952 wrote to memory of 2064 2952 MoonXCrypter.exe 33 PID 2952 wrote to memory of 2064 2952 MoonXCrypter.exe 33 PID 2064 wrote to memory of 2736 2064 MoonXCrypter.exe 34 PID 2064 wrote to memory of 2736 2064 MoonXCrypter.exe 34 PID 2064 wrote to memory of 2736 2064 MoonXCrypter.exe 34 PID 2064 wrote to memory of 2500 2064 MoonXCrypter.exe 35 PID 2064 wrote to memory of 2500 2064 MoonXCrypter.exe 35 PID 2064 wrote to memory of 2500 2064 MoonXCrypter.exe 35 PID 2064 wrote to memory of 2492 2064 MoonXCrypter.exe 36 PID 2064 wrote to memory of 2492 2064 MoonXCrypter.exe 36 PID 2064 wrote to memory of 2492 2064 MoonXCrypter.exe 36 PID 2064 wrote to memory of 484 2064 MoonXCrypter.exe 37 PID 2064 wrote to memory of 484 2064 MoonXCrypter.exe 37 PID 2064 wrote to memory of 484 2064 MoonXCrypter.exe 37 PID 484 wrote to memory of 2872 484 MoonXCrypter.exe 38 PID 484 wrote to memory of 2872 484 MoonXCrypter.exe 38 PID 484 wrote to memory of 2872 484 MoonXCrypter.exe 38 PID 484 wrote to memory of 692 484 MoonXCrypter.exe 39 PID 484 wrote to memory of 692 484 MoonXCrypter.exe 39 PID 484 wrote to memory of 692 484 MoonXCrypter.exe 39 PID 484 wrote to memory of 2172 484 MoonXCrypter.exe 40 PID 484 wrote to memory of 2172 484 MoonXCrypter.exe 40 PID 484 wrote to memory of 2172 484 MoonXCrypter.exe 40 PID 484 wrote to memory of 2152 484 MoonXCrypter.exe 41 PID 484 wrote to memory of 2152 484 MoonXCrypter.exe 41 PID 484 wrote to memory of 2152 484 MoonXCrypter.exe 41 PID 2152 wrote to memory of 2144 2152 MoonXCrypter.exe 42 PID 2152 wrote to memory of 2144 2152 MoonXCrypter.exe 42 PID 2152 wrote to memory of 2144 2152 MoonXCrypter.exe 42 PID 2152 wrote to memory of 1048 2152 MoonXCrypter.exe 43 PID 2152 wrote to memory of 1048 2152 MoonXCrypter.exe 43 PID 2152 wrote to memory of 1048 2152 MoonXCrypter.exe 43 PID 2152 wrote to memory of 1728 2152 MoonXCrypter.exe 44 PID 2152 wrote to memory of 1728 2152 MoonXCrypter.exe 44 PID 2152 wrote to memory of 1728 2152 MoonXCrypter.exe 44 PID 2152 wrote to memory of 2844 2152 MoonXCrypter.exe 45 PID 2152 wrote to memory of 2844 2152 MoonXCrypter.exe 45 PID 2152 wrote to memory of 2844 2152 MoonXCrypter.exe 45 PID 2844 wrote to memory of 1472 2844 MoonXCrypter.exe 46 PID 2844 wrote to memory of 1472 2844 MoonXCrypter.exe 46 PID 2844 wrote to memory of 1472 2844 MoonXCrypter.exe 46 PID 2844 wrote to memory of 2728 2844 MoonXCrypter.exe 47 PID 2844 wrote to memory of 2728 2844 MoonXCrypter.exe 47 PID 2844 wrote to memory of 2728 2844 MoonXCrypter.exe 47 PID 2844 wrote to memory of 2860 2844 MoonXCrypter.exe 48 PID 2844 wrote to memory of 2860 2844 MoonXCrypter.exe 48 PID 2844 wrote to memory of 2860 2844 MoonXCrypter.exe 48 PID 2844 wrote to memory of 2116 2844 MoonXCrypter.exe 49 PID 2844 wrote to memory of 2116 2844 MoonXCrypter.exe 49 PID 2844 wrote to memory of 2116 2844 MoonXCrypter.exe 49 PID 2116 wrote to memory of 2252 2116 MoonXCrypter.exe 50 PID 2116 wrote to memory of 2252 2116 MoonXCrypter.exe 50 PID 2116 wrote to memory of 2252 2116 MoonXCrypter.exe 50 PID 2116 wrote to memory of 1956 2116 MoonXCrypter.exe 51 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\MoonXCrypter.exe"C:\Users\Admin\AppData\Local\Temp\MoonXCrypter.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2768 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Roaming\msedge.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:1140
-
-
-
C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2820 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome Update.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Roaming\Chrome Update.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:236
-
-
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2876 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\OneDrive.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2132
-
-
-
C:\Users\Admin\AppData\Local\Temp\MoonXCrypter.exe"C:\Users\Admin\AppData\Local\Temp\MoonXCrypter.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2492
-
-
C:\Users\Admin\AppData\Local\Temp\MoonXCrypter.exe"C:\Users\Admin\AppData\Local\Temp\MoonXCrypter.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
-
C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:692
-
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
C:\Users\Admin\AppData\Local\Temp\MoonXCrypter.exe"C:\Users\Admin\AppData\Local\Temp\MoonXCrypter.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1048
-
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
-
C:\Users\Admin\AppData\Local\Temp\MoonXCrypter.exe"C:\Users\Admin\AppData\Local\Temp\MoonXCrypter.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1472
-
-
C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
-
C:\Users\Admin\AppData\Local\Temp\MoonXCrypter.exe"C:\Users\Admin\AppData\Local\Temp\MoonXCrypter.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-
C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:840
-
-
C:\Users\Admin\AppData\Local\Temp\MoonXCrypter.exe"C:\Users\Admin\AppData\Local\Temp\MoonXCrypter.exe"7⤵PID:1344
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1020
-
-
C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2080
-
-
C:\Users\Admin\AppData\Local\Temp\MoonXCrypter.exe"C:\Users\Admin\AppData\Local\Temp\MoonXCrypter.exe"8⤵PID:2176
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1540
-
-
C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1420
-
-
C:\Users\Admin\AppData\Local\Temp\MoonXCrypter.exe"C:\Users\Admin\AppData\Local\Temp\MoonXCrypter.exe"9⤵PID:2088
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:952
-
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2000
-
-
C:\Users\Admin\AppData\Local\Temp\MoonXCrypter.exe"C:\Users\Admin\AppData\Local\Temp\MoonXCrypter.exe"10⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:844
-
-
C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2212
-
-
C:\Users\Admin\AppData\Local\Temp\MoonXCrypter.exe"C:\Users\Admin\AppData\Local\Temp\MoonXCrypter.exe"11⤵PID:816
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
-
C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
-
C:\Users\Admin\AppData\Local\Temp\MoonXCrypter.exe"C:\Users\Admin\AppData\Local\Temp\MoonXCrypter.exe"12⤵PID:2808
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
C:\Users\Admin\AppData\Local\Temp\MoonXCrypter.exe"C:\Users\Admin\AppData\Local\Temp\MoonXCrypter.exe"13⤵PID:2344
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1384
-
-
C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
-
C:\Users\Admin\AppData\Local\Temp\MoonXCrypter.exe"C:\Users\Admin\AppData\Local\Temp\MoonXCrypter.exe"14⤵PID:2004
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:988
-
-
C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1772
-
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
-
C:\Users\Admin\AppData\Local\Temp\MoonXCrypter.exe"C:\Users\Admin\AppData\Local\Temp\MoonXCrypter.exe"15⤵PID:2936
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
-
C:\Users\Admin\AppData\Local\Temp\MoonXCrypter.exe"C:\Users\Admin\AppData\Local\Temp\MoonXCrypter.exe"16⤵PID:3064
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {35EC545F-FABA-4174-B356-D10C67288AC6} S-1-5-21-1163522206-1469769407-485553996-1000:PJCSDMRP\Admin:Interactive:[1]1⤵PID:1660
-
C:\ProgramData\OneDrive.exeC:\ProgramData\OneDrive.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
C:\Users\Admin\AppData\Roaming\msedge.exeC:\Users\Admin\AppData\Roaming\msedge.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
-
C:\ProgramData\OneDrive.exeC:\ProgramData\OneDrive.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:888
-
-
C:\Users\Admin\AppData\Roaming\msedge.exeC:\Users\Admin\AppData\Roaming\msedge.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1856
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152KB
MD516cdd301591c6af35a03cd18caee2e59
SHA192c6575b57eac309c8664d4ac76d87f2906e8ef3
SHA25611d55ac2f9070a70d12f760e9a6ee75136eca4bf711042acc25828ddda3582c8
SHA512a44402e5e233cb983f7cfd9b81bc542a08d8092ffa4bd970fc25fe112355643506d5dfee0dd76f2e79b983df0fde67bfc50aabb477492a7596e38081e4083476
-
Filesize
140KB
MD5a1cd6f4a3a37ed83515aa4752f98eb1d
SHA17f787c8d72787d8d130b4788b006b799167d1802
SHA2565cbcc0a0c1d74cd54ac999717b0ff0607fe6ed02cca0a3e0433dd94783cfec65
SHA5129489287e0b4925345fee05fe2f6e6f12440af1425ef397145e32e6f80c7ae98b530e42002d92dc156643f9829bc8a3b969e855cecd2265b6616c4514eed00355
-
Filesize
166KB
MD5a06b97d6bd4489c5632d17e968a71103
SHA1bc41fec2cb8c43f526c2c94449a1d7bcbcd364a9
SHA256e1a9840703907437fc308be5a971e7b90d5dc1e24d03ff9988112ddb89b48cb6
SHA512d0db4aee90306f589ca27afd1a988aefbd444f2c25418c8d54697db858d36bf627e3a68a890dcfda85a31a24a171d0152dc4473095ccebb483b4e18c5b107ddd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MK6WK3HKDVP0KGAE8O83.temp
Filesize7KB
MD5b17c565cb5bbbb74eb2f1cf46394b4c1
SHA1881cf50ff5deccc5fc24b460838d845e41647e91
SHA2563f771b63ffd23f4b6f371a70a6dac5573245854bcb82074095663441389be959
SHA512c1561b5b2a61e1e4ff5fa3179c8e4c7998311b527c6bf8ac87b2839371fc37986a73328e4421c000ce57db925225895fa5973fa52838c754a5cf761745906d53