File name:	3.PL_PIEC001-L20250227-GLOBAL_ATOP.pdf.msc
Full analysis:	https://app.any.run/tasks/166bb71d-0998-46cf-844b-3cd263bef4bd
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. XWorm ist ein Remote Access Trojaner (RAT), der als Malware-as-a-Service verkauft wird. Er verfügt über ein umfangreiches Hacking-Toolset und ist in der Lage, private Informationen und Dateien auf dem infizierten Computer zu sammeln, MetaMask- und Telegram-Konten zu kapern und Benutzeraktivitäten zu verfolgen. XWorm wird in der Regel durch mehrstufige Angriffe auf die Computer der Opfer übertragen, die mit Phishing-E-Mails beginnen. Malware Trends Tracker >>>
Analysis date:	May 09, 2025, 12:28:39
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	loader remote xworm susp-powershell
Indicators:
MIME:	text/xml
File info:	XML 1.0 document, ASCII text, with very long lines (7436), with CRLF line terminators
MD5:	4659DB3279657D4EC38473F4F25CB04F
SHA1:	8DC3BCCBA79C8DDC681099B3924B12E355A29FD0
SHA256:	E9B9E6269037EEBA8B99D416E952FFAB3B0C514C0E5FAF2043A8496F39EC3C86
SSDEEP:	384:jeHUIR5qrkq25/NRFp9jYisCqgaqao8BI92vFGOWPnQB+CVFpH:2NRQhqbFpJYi+gapa928YzVFpH


(PID) Process:	(5156) mmc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(5156) mmc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(5156) mmc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(5156) mmc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch
Operation:	write	Name:	Version
Value: WS not running
(PID) Process:	(5156) mmc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:	write	Name:	DisableFirstRunCustomize
Value: 1
(PID) Process:	(5360) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithProgids
Operation:	write	Name:	Acrobat.Document.DC
Value:
(PID) Process:	(7332) Acrobat.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2034283098-2252572593-1072577386-2659511007-3245387615-27016815-3920691934
Operation:	write	Name:	DisplayName
Value: Adobe Acrobat Reader Protected Mode
(PID) Process:	(7428) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\ExitSection
Operation:	write	Name:	bLastExitNormal
Value: 0
(PID) Process:	(7332) Acrobat.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\Acrobatbrokerserverdispatchercpp789
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(7428) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement
Operation:	write	Name:	bSynchronizeOPL
Value: 0

PID	Process	Filename		Type
6620	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H6PNJG8ELAW2X3JSZMTW.temp		binary
		MD5:69A73136D2157D67B384C59435255540	SHA256:E4AC67945F668DD81F3E67C116223D67A5860F79DFA8EFA6450B2497BB3538A2
1852	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hty4ump3.jaf.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6620	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms		binary
		MD5:69A73136D2157D67B384C59435255540	SHA256:E4AC67945F668DD81F3E67C116223D67A5860F79DFA8EFA6450B2497BB3538A2
5640	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_r4c5ro5c.4jp.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5640	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_nit3gm0b.c5t.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1852	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_pwwfgj33.dt2.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1852	powershell.exe	C:\Users\admin\AppData\Local\Temp\3plpie.rar		compressed
		MD5:E1295A683237ED56A867CDA5B8C0F682	SHA256:985A706D9D8D0F3930E352FC44C40B6C84E464B500B8968B63381A6DC5889A06
4068	csc.exe	C:\Users\admin\AppData\Local\Temp\fhaij4td\fhaij4td.out		text
		MD5:1A91112AC16B3A872BD54E60FC0B5883	SHA256:F88167117B4A3CD6464FE0C8F7B74157B6385A87235194F14FD061460243452A
1852	powershell.exe	C:\Users\admin\AppData\Local\Temp\fhaij4td\fhaij4td.cmdline		text
		MD5:616B94D38FC037A71C0B5A5E450A7D5B	SHA256:D237CFA35C597C7DE59CEAF7FEA48AD49CF774B9E49BABE9A4542452580C262F
4068	csc.exe	C:\Users\admin\AppData\Local\Temp\fhaij4td\CSCAB9C136F17604BF492D37251AF8E6BE2.TMP		binary
		MD5:9736F1EBB69B6D42AA8F575ED2D30753	SHA256:64B02000F1992FC276BD84A64BD9B1EBD685F457F5C785D2A83BA0BAFBBC130E

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5360	powershell.exe	GET	200	185.235.128.114:80	http://185.235.128.114/css/UnRAR.exe	unknown	—	—	unknown
5360	powershell.exe	GET	200	185.235.128.114:80	http://185.235.128.114/css/3.PL_PIEC001-L20250227-GLOBAL_ATOP.pdf	unknown	—	—	unknown
5360	powershell.exe	GET	200	185.235.128.114:80	http://185.235.128.114/fonts/eworvolt.rar	unknown	—	—	unknown
—	—	OPTIONS	204	18.207.85.246:443	https://p13n.adobe.io/psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&adcProductLanguage=en-us&adcVersion=23.1.20093&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=DE&adcXAPIClientID=api_reader_desktop_win_23.1.20093&encodingScheme=BASE_64	unknown	—	—	—
—	—	GET	304	52.149.20.212:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
1852	powershell.exe	GET	200	185.235.128.114:80	http://185.235.128.114/js/3plpie.rar	unknown	—	—	unknown
1852	powershell.exe	GET	200	185.235.128.114:80	http://185.235.128.114/css/UnRAR.exe	unknown	—	—	unknown
3896	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
3896	SIHClient.exe	GET	200	23.48.23.135:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
3896	SIHClient.exe	GET	200	23.48.23.135:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
976	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2104	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5496	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2112	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3216	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
6544	svchost.exe	40.126.32.140:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2104	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
google.com	142.250.185.110	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
login.live.com	40.126.32.140 20.190.160.3 20.190.160.14 20.190.160.131 40.126.32.76 40.126.32.133 20.190.160.128 20.190.160.4	whitelisted
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158 51.124.78.146	whitelisted
geo2.adobe.com	23.213.164.167	whitelisted
p13n.adobe.io	54.144.73.197 34.193.227.236 18.207.85.246 107.22.247.231	whitelisted
slscr.update.microsoft.com	52.149.20.212	whitelisted
crl.microsoft.com	23.48.23.135 23.48.23.146 23.48.23.147 23.48.23.138 23.48.23.132 23.48.23.144 23.48.23.151 23.48.23.134 23.48.23.148	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
fe3cr.delivery.mp.microsoft.com	20.242.39.171	whitelisted

PID	Process	Class	Message
1852	powershell.exe	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
1852	powershell.exe	Potentially Bad Traffic	ET INFO Dotted Quad Host RAR Request
1852	powershell.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
1852	powershell.exe	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
1852	powershell.exe	Misc activity	ET INFO Request for EXE via Powershell
1852	powershell.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
1852	powershell.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
5360	powershell.exe	Potentially Bad Traffic	ET INFO Dotted Quad Host PDF Request
5360	powershell.exe	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
5360	powershell.exe	Misc activity	ET INFO Request for PDF via PowerShell

MMC_ConsoleFileConsoleVersion:	3
MMC_ConsoleFileProgramMode:	UserMDI
MMC_ConsoleFileConsoleFileID:	{ED5E8CA7-2720-4C88-97D1-C2E969A03748}
MMC_ConsoleFileFrameStateShowStatusBar:
MMC_ConsoleFileFrameStatePreventViewCustomization:
MMC_ConsoleFileFrameStateWindowPlacementShowCommand:	SW_SHOWNORMAL
MMC_ConsoleFileFrameStateWindowPlacementPointName:	MinPosition
MMC_ConsoleFileFrameStateWindowPlacementPointX:	-1
MMC_ConsoleFileFrameStateWindowPlacementPointY:	-1
MMC_ConsoleFileFrameStateWindowPlacementRectangleName:	NormalPosition
MMC_ConsoleFileFrameStateWindowPlacementRectangleTop:	65
MMC_ConsoleFileFrameStateWindowPlacementRectangleBottom:	545
MMC_ConsoleFileFrameStateWindowPlacementRectangleLeft:	174
MMC_ConsoleFileFrameStateWindowPlacementRectangleRight:	1214
MMC_ConsoleFileViewsViewId:	5
MMC_ConsoleFileViewsViewScopePaneWidth:	301
MMC_ConsoleFileViewsViewActionsPaneWidth:	-1
MMC_ConsoleFileViewsViewBookMarkName:	RootNode
MMC_ConsoleFileViewsViewBookMarkNodeID:	1
MMC_ConsoleFileViewsViewWindowPlacementWpfRestoretomaximized:
MMC_ConsoleFileViewsViewWindowPlacementShowCommand:	SW_SHOWMAXIMIZED
MMC_ConsoleFileViewsViewWindowPlacementPointName:	MinPosition
MMC_ConsoleFileViewsViewWindowPlacementPointX:	-1
MMC_ConsoleFileViewsViewWindowPlacementPointY:	-1
MMC_ConsoleFileViewsViewWindowPlacementRectangleName:	NormalPosition
MMC_ConsoleFileViewsViewWindowPlacementRectangleTop:	130
MMC_ConsoleFileViewsViewWindowPlacementRectangleBottom:	561
MMC_ConsoleFileViewsViewWindowPlacementRectangleLeft:	130
MMC_ConsoleFileViewsViewWindowPlacementRectangleRight:	1350
MMC_ConsoleFileViewsViewViewOptionsViewMode:	Report
MMC_ConsoleFileViewsViewViewOptionsNoStdMenus:
MMC_ConsoleFileViewsViewViewOptionsNoStdButtons:
MMC_ConsoleFileViewsViewViewOptionsNoSnapinMenus:
MMC_ConsoleFileViewsViewViewOptionsNoSnapinButtons:
MMC_ConsoleFileViewsViewViewOptionsNoStatusBar:
MMC_ConsoleFileViewsViewViewOptionsNoTaskpadTabs:
MMC_ConsoleFileViewsViewViewOptionsDescriptionBarVisible:	-
MMC_ConsoleFileViewsViewViewOptionsDefaultColumn0Width:	200
MMC_ConsoleFileViewsViewViewOptionsDefaultColumn1Width:	-
MMC_ConsoleFileVisualAttributesStringName:	ApplicationTitle

General Info

3.PL_PIEC001-L20250227-GLOBAL_ATOP.pdf.msc

4659DB3279657D4EC38473F4F25CB04F

8DC3BCCBA79C8DDC681099B3924B12E355A29FD0

E9B9E6269037EEBA8B99D416E952FFAB3B0C514C0E5FAF2043A8496F39EC3C86

384:jeHUIR5qrkq25/NRFp9jYisCqgaqao8BI92vFGOWPnQB+CVFpH:2NRQhqbFpJYi+gapa928YzVFpH

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes powershell execution policy (Bypass)

Bypass execution policy to execute commands

Request from PowerShell which ran from CMD.EXE

XWORM has been detected (SURICATA)

SUSPICIOUS

Reads Microsoft Outlook installation path

BASE64 encoded PowerShell command has been detected

Reads Internet Explorer settings

Starts POWERSHELL.EXE for commands execution

Base64-obfuscated command line is found

Executable content was dropped or overwritten

Application launched itself

Potential Corporate Privacy Violation

Process requests binary or script from the Internet

Connects to the server without a host name

CSC.EXE is used to compile C# code

Starts CMD.EXE for commands execution

Uses base64 encoding (POWERSHELL)

The process executes Powershell scripts

The executable file from the user directory is run by the CMD process

Process drops legitimate windows executable

The process drops C-runtime libraries

Process drops python dynamic module

Connects to unusual port

Contacting a server suspected of hosting an CnC

INFO

Checks proxy server information

Reads security settings of Internet Explorer

The sample compiled with english language support

The executable file from the user directory is run by the Powershell process

Disables trace logs

Uses string replace method (POWERSHELL)

Script raised an exception (POWERSHELL)

Checks supported languages

Reads the machine GUID from the registry

Create files in a temporary directory

Checks whether the specified file exists (POWERSHELL)

Application launched itself

Found Base64 encoded file access via PowerShell (YARA)

Found Base64 encoded reflection usage via PowerShell (YARA)

Found Base64 encoded network access via PowerShell (YARA)

Reads the software policy settings

Found Base64 encoded access to processes via PowerShell (YARA)

Reads the computer name

Malware configuration

Static information

TRiD

EXIF

XMP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules