asyncrat | 0712085082841796a11be3e988c1cc131d1608809321683d4e4482363f616e0d

pid	Process
4928	chrome.exe
3016	chrome.exe
3996	chrome.exe
2020	chrome.exe
2732	msedge.exe
908	msedge.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

persistence privilege_escalation

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	XWormV6.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	OneDrive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	update.dotnet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Chrome Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	XClient.exe

Drops startup file 8 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Chrome Update.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Chrome Update.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 15 IoCs

pid	Process
4020	Chrome Update.exe
4936	OneDrive.exe
5028	msedge.exe
4280	Xworm V5.6.exe
4748	update.dotnet.exe
744	svchost.exe
3068	svchost.exe
1080	svchost.exe
4828	OneDrive.exe
3512	msedge.exe
2452	XClient.exe
3552	svchost.exe
1936	svchost.exe
3620	OneDrive.exe
1928	OneDrive.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	update.dotnet.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	update.dotnet.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	update.dotnet.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	Chrome Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\OneDrive.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
29	pastebin.com
161	pastebin.com
202	pastebin.com
147	pastebin.com
179	pastebin.com
197	pastebin.com
184	pastebin.com
127	pastebin.com
136	pastebin.com
151	pastebin.com
171	pastebin.com
181	pastebin.com
195	pastebin.com
111	pastebin.com
155	pastebin.com
158	pastebin.com
174	pastebin.com
188	pastebin.com
95	pastebin.com
125	pastebin.com
148	pastebin.com
150	pastebin.com
165	pastebin.com
196	pastebin.com
200	pastebin.com
222	pastebin.com
12	raw.githubusercontent.com
66	pastebin.com
114	pastebin.com
173	pastebin.com
189	pastebin.com
167	pastebin.com
218	pastebin.com
166	pastebin.com
206	pastebin.com
178	pastebin.com
211	pastebin.com
223	pastebin.com
17	pastebin.com
144	pastebin.com
176	pastebin.com
163	pastebin.com
208	pastebin.com
209	pastebin.com
35	pastebin.com
37	pastebin.com
112	pastebin.com
126	pastebin.com
154	pastebin.com
219	pastebin.com
22	pastebin.com
133	pastebin.com
177	pastebin.com
38	pastebin.com
119	pastebin.com
140	pastebin.com
145	pastebin.com
113	pastebin.com
172	pastebin.com
180	pastebin.com
116	pastebin.com
185	pastebin.com
205	pastebin.com
224	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
55	icanhazip.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2764	cmd.exe
2748	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	update.dotnet.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	update.dotnet.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4556	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4020	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133816877368431834"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3028	schtasks.exe
3172	schtasks.exe
1872	schtasks.exe
2284	schtasks.exe
908	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1228	powershell.exe
3760	powershell.exe
3760	powershell.exe
1228	powershell.exe
3992	powershell.exe
1800	powershell.exe
3992	powershell.exe
1800	powershell.exe
4576	powershell.exe
4724	powershell.exe
4724	powershell.exe
4724	powershell.exe
4576	powershell.exe
4576	powershell.exe
2072	powershell.exe
2072	powershell.exe
628	powershell.exe
628	powershell.exe
4748	update.dotnet.exe
4748	update.dotnet.exe
4748	update.dotnet.exe
4748	update.dotnet.exe
4748	update.dotnet.exe
4748	update.dotnet.exe
4748	update.dotnet.exe
4748	update.dotnet.exe
4748	update.dotnet.exe
4748	update.dotnet.exe
4748	update.dotnet.exe
4748	update.dotnet.exe
4748	update.dotnet.exe
4748	update.dotnet.exe
4748	update.dotnet.exe
4748	update.dotnet.exe
4748	update.dotnet.exe
4928	chrome.exe
4928	chrome.exe
4748	update.dotnet.exe
4748	update.dotnet.exe
4748	update.dotnet.exe
4748	update.dotnet.exe
4748	update.dotnet.exe
4748	update.dotnet.exe
4748	update.dotnet.exe
4748	update.dotnet.exe
4748	update.dotnet.exe
4748	update.dotnet.exe
4748	update.dotnet.exe
4748	update.dotnet.exe
4748	update.dotnet.exe
4748	update.dotnet.exe
4748	update.dotnet.exe
4748	update.dotnet.exe
4748	update.dotnet.exe
4748	update.dotnet.exe
4416	msedge.exe
4416	msedge.exe
3816	powershell.exe
3816	powershell.exe
3816	powershell.exe
5048	powershell.exe
5048	powershell.exe
5048	powershell.exe
224	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4928	chrome.exe
4928	chrome.exe
4928	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4020	Chrome Update.exe
Token: SeDebugPrivilege	5028	msedge.exe
Token: SeDebugPrivilege	4936	OneDrive.exe
Token: SeDebugPrivilege	4748	update.dotnet.exe
Token: SeDebugPrivilege	1228	powershell.exe
Token: SeDebugPrivilege	3760	powershell.exe
Token: SeDebugPrivilege	3992	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	4576	powershell.exe
Token: SeDebugPrivilege	4724	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeIncreaseQuotaPrivilege	744	svchost.exe
Token: SeSecurityPrivilege	744	svchost.exe
Token: SeTakeOwnershipPrivilege	744	svchost.exe
Token: SeLoadDriverPrivilege	744	svchost.exe
Token: SeSystemProfilePrivilege	744	svchost.exe
Token: SeSystemtimePrivilege	744	svchost.exe
Token: SeProfSingleProcessPrivilege	744	svchost.exe
Token: SeIncBasePriorityPrivilege	744	svchost.exe
Token: SeCreatePagefilePrivilege	744	svchost.exe
Token: SeBackupPrivilege	744	svchost.exe
Token: SeRestorePrivilege	744	svchost.exe
Token: SeShutdownPrivilege	744	svchost.exe
Token: SeDebugPrivilege	744	svchost.exe
Token: SeSystemEnvironmentPrivilege	744	svchost.exe
Token: SeRemoteShutdownPrivilege	744	svchost.exe
Token: SeUndockPrivilege	744	svchost.exe
Token: SeManageVolumePrivilege	744	svchost.exe
Token: 33	744	svchost.exe
Token: 34	744	svchost.exe
Token: 35	744	svchost.exe
Token: 36	744	svchost.exe
Token: SeIncreaseQuotaPrivilege	3068	svchost.exe
Token: SeSecurityPrivilege	3068	svchost.exe
Token: SeTakeOwnershipPrivilege	3068	svchost.exe
Token: SeLoadDriverPrivilege	3068	svchost.exe
Token: SeSystemProfilePrivilege	3068	svchost.exe
Token: SeSystemtimePrivilege	3068	svchost.exe
Token: SeProfSingleProcessPrivilege	3068	svchost.exe
Token: SeIncBasePriorityPrivilege	3068	svchost.exe
Token: SeCreatePagefilePrivilege	3068	svchost.exe
Token: SeBackupPrivilege	3068	svchost.exe
Token: SeRestorePrivilege	3068	svchost.exe
Token: SeShutdownPrivilege	3068	svchost.exe
Token: SeDebugPrivilege	3068	svchost.exe
Token: SeSystemEnvironmentPrivilege	3068	svchost.exe
Token: SeRemoteShutdownPrivilege	3068	svchost.exe
Token: SeUndockPrivilege	3068	svchost.exe
Token: SeManageVolumePrivilege	3068	svchost.exe
Token: 33	3068	svchost.exe
Token: 34	3068	svchost.exe
Token: 35	3068	svchost.exe
Token: 36	3068	svchost.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeSecurityPrivilege	1356	msiexec.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeShutdownPrivilege	4928	chrome.exe
Token: SeCreatePagefilePrivilege	4928	chrome.exe
Token: SeIncreaseQuotaPrivilege	1080	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4928	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3764 wrote to memory of 4020	3764	XWormV6.0.exe	83
PID 3764 wrote to memory of 4020	3764	XWormV6.0.exe	83
PID 3764 wrote to memory of 4936	3764	XWormV6.0.exe	84
PID 3764 wrote to memory of 4936	3764	XWormV6.0.exe	84
PID 3764 wrote to memory of 5028	3764	XWormV6.0.exe	85
PID 3764 wrote to memory of 5028	3764	XWormV6.0.exe	85
PID 3764 wrote to memory of 4280	3764	XWormV6.0.exe	86
PID 3764 wrote to memory of 4280	3764	XWormV6.0.exe	86
PID 3764 wrote to memory of 4748	3764	XWormV6.0.exe	87
PID 3764 wrote to memory of 4748	3764	XWormV6.0.exe	87
PID 5028 wrote to memory of 3760	5028	msedge.exe	89
PID 5028 wrote to memory of 3760	5028	msedge.exe	89
PID 4936 wrote to memory of 1228	4936	OneDrive.exe	90
PID 4936 wrote to memory of 1228	4936	OneDrive.exe	90
PID 4748 wrote to memory of 744	4748	update.dotnet.exe	93
PID 4748 wrote to memory of 744	4748	update.dotnet.exe	93
PID 5028 wrote to memory of 3992	5028	msedge.exe	94
PID 5028 wrote to memory of 3992	5028	msedge.exe	94
PID 4936 wrote to memory of 1800	4936	OneDrive.exe	96
PID 4936 wrote to memory of 1800	4936	OneDrive.exe	96
PID 5028 wrote to memory of 4576	5028	msedge.exe	98
PID 5028 wrote to memory of 4576	5028	msedge.exe	98
PID 4936 wrote to memory of 4724	4936	OneDrive.exe	100
PID 4936 wrote to memory of 4724	4936	OneDrive.exe	100
PID 4020 wrote to memory of 908	4020	Chrome Update.exe	102
PID 4020 wrote to memory of 908	4020	Chrome Update.exe	102
PID 4936 wrote to memory of 2072	4936	OneDrive.exe	104
PID 4936 wrote to memory of 2072	4936	OneDrive.exe	104
PID 5028 wrote to memory of 628	5028	msedge.exe	106
PID 5028 wrote to memory of 628	5028	msedge.exe	106
PID 4936 wrote to memory of 3028	4936	OneDrive.exe	112
PID 4936 wrote to memory of 3028	4936	OneDrive.exe	112
PID 5028 wrote to memory of 3172	5028	msedge.exe	114
PID 5028 wrote to memory of 3172	5028	msedge.exe	114
PID 4748 wrote to memory of 3068	4748	update.dotnet.exe	124
PID 4748 wrote to memory of 3068	4748	update.dotnet.exe	124
PID 4748 wrote to memory of 4928	4748	update.dotnet.exe	129
PID 4748 wrote to memory of 4928	4748	update.dotnet.exe	129
PID 4928 wrote to memory of 4552	4928	chrome.exe	130
PID 4928 wrote to memory of 4552	4928	chrome.exe	130
PID 4748 wrote to memory of 2764	4748	update.dotnet.exe	131
PID 4748 wrote to memory of 2764	4748	update.dotnet.exe	131
PID 2764 wrote to memory of 1156	2764	cmd.exe	135
PID 2764 wrote to memory of 1156	2764	cmd.exe	135
PID 2764 wrote to memory of 2748	2764	cmd.exe	136
PID 2764 wrote to memory of 2748	2764	cmd.exe	136
PID 2764 wrote to memory of 2220	2764	cmd.exe	137
PID 2764 wrote to memory of 2220	2764	cmd.exe	137
PID 4928 wrote to memory of 1584	4928	chrome.exe	139
PID 4928 wrote to memory of 1584	4928	chrome.exe	139
PID 4928 wrote to memory of 1584	4928	chrome.exe	139
PID 4928 wrote to memory of 1584	4928	chrome.exe	139
PID 4928 wrote to memory of 1584	4928	chrome.exe	139
PID 4928 wrote to memory of 1584	4928	chrome.exe	139
PID 4928 wrote to memory of 1584	4928	chrome.exe	139
PID 4928 wrote to memory of 1584	4928	chrome.exe	139
PID 4928 wrote to memory of 1584	4928	chrome.exe	139
PID 4928 wrote to memory of 1584	4928	chrome.exe	139
PID 4928 wrote to memory of 1584	4928	chrome.exe	139
PID 4928 wrote to memory of 1584	4928	chrome.exe	139
PID 4928 wrote to memory of 1584	4928	chrome.exe	139
PID 4928 wrote to memory of 1584	4928	chrome.exe	139
PID 4928 wrote to memory of 1584	4928	chrome.exe	139
PID 4928 wrote to memory of 1584	4928	chrome.exe	139

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	update.dotnet.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	update.dotnet.exe

C:\Users\Admin\AppData\Local\Temp\XWormV6.0.exe
"C:\Users\Admin\AppData\Local\Temp\XWormV6.0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe
  "C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:908
- C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
  "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1800
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2072
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3028
- C:\Users\Admin\AppData\Local\Temp\msedge.exe
  "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:628
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3172
- C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
  "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
  2⤵
  - Executes dropped EXE
  PID:4280
- C:\Users\Admin\AppData\Local\Temp\update.dotnet.exe
  "C:\Users\Admin\AppData\Local\Temp\update.dotnet.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:4748
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:744
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3068
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --disable-gpu --disable-logging
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4928
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff986a9cc40,0x7ff986a9cc4c,0x7ff986a9cc58
      4⤵
      PID:4552
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-logging --headless=new --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --disable-logging --field-trial-handle=1872,i,13933872434133716752,16860216920616538878,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1868 /prefetch:2
      4⤵
      PID:1584
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --field-trial-handle=1924,i,13933872434133716752,16860216920616538878,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2008 /prefetch:3
      4⤵
      PID:3584
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --field-trial-handle=2116,i,13933872434133716752,16860216920616538878,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2508 /prefetch:8
      4⤵
      PID:3168
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3056,i,13933872434133716752,16860216920616538878,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3088 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3996
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3048,i,13933872434133716752,16860216920616538878,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3156 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3016
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4128,i,13933872434133716752,16860216920616538878,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3664 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2020
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --field-trial-handle=4664,i,13933872434133716752,16860216920616538878,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4672 /prefetch:8
      4⤵
      PID:972
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --field-trial-handle=4716,i,13933872434133716752,16860216920616538878,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4728 /prefetch:8
      4⤵
      PID:1412
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --field-trial-handle=4940,i,13933872434133716752,16860216920616538878,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2840 /prefetch:8
      4⤵
      PID:2620
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --field-trial-handle=5032,i,13933872434133716752,16860216920616538878,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4840 /prefetch:8
      4⤵
      PID:556
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --field-trial-handle=4692,i,13933872434133716752,16860216920616538878,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5164 /prefetch:8
      4⤵
      PID:4196
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --field-trial-handle=5148,i,13933872434133716752,16860216920616538878,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4700 /prefetch:8
      4⤵
      PID:3560
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1156
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2748
  - - C:\Windows\system32\findstr.exe
      findstr All
      4⤵
      PID:2220
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    PID:740
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2088
  - - C:\Windows\system32\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:2236
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --disable-gpu --disable-logging
    3⤵
    - Uses browser remote debugging
    PID:2732
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff985b146f8,0x7ff985b14708,0x7ff985b14718
      4⤵
      PID:820
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1496,7867464989996440564,8541218936745180825,131072 --disable-features=PaintHolding --disable-logging --headless=new --headless --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --disable-logging --mojo-platform-channel-handle=1516 /prefetch:2
      4⤵
      PID:2572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1496,7867464989996440564,8541218936745180825,131072 --disable-features=PaintHolding --lang=en-US --service-sandbox-type=none --use-gl=swiftshader-webgl --headless --disable-logging --mojo-platform-channel-handle=1832 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4416
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-logging --remote-debugging-port=9222 --allow-pre-commit-input --field-trial-handle=1496,7867464989996440564,8541218936745180825,131072 --disable-features=PaintHolding --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1940 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:908
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:3552
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:1936
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3dec8f65-8621-4109-bd09-694bf494d64f.bat"
    3⤵
    PID:1100
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3900
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4748
      4⤵
      Kills process with taskkill
      PID:4020
  - - C:\Windows\system32\timeout.exe
      timeout /T 2 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:4556

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1356

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2372

C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
1⤵
- Executes dropped EXE
PID:4828

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
PID:3512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1168
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2284

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
PID:2452
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1872

C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
1⤵
- Executes dropped EXE
PID:3620

C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
1⤵
- Executes dropped EXE
PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Modify Authentication Process

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Authentication Process

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery