darkcomet | cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429

Processes:

cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

msdcsc.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	msdcsc.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

Processes:

msdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Executes dropped EXE 2 IoCs

Processes:

CG_LOADER.EXEmsdcsc.exe

pid process

1768 CG_LOADER.EXE
2012 msdcsc.exe
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1752 attrib.exe

pid	process
1768	CG_LOADER.EXE
2012	msdcsc.exe

pid	process
1752	attrib.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\CG_LOADER.EXE	vmprotect
C:\Users\Admin\AppData\Local\Temp\CG_LOADER.EXE	vmprotect
C:\Users\Admin\AppData\Local\Temp\CG_LOADER.EXE	vmprotect
behavioral1/memory/1768-69-0x0000000000F20000-0x0000000002AAC000-memory.dmp	vmprotect

Loads dropped DLL 3 IoCs

Processes:

cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe

pid	process
1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe
1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe
1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

Processes:

msdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Drops file in System32 directory 3 IoCs

Processes:

cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe

description	ioc	process
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 48 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 200000001a00eebbfe230000100090e24d373f126545916439c4925e467b00000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "2"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000078000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

CG_LOADER.EXEchrome.exechrome.exechrome.exechrome.exe

pid process

1768 CG_LOADER.EXE
1248 chrome.exe
1956 chrome.exe
1956 chrome.exe
2660 chrome.exe
2792 chrome.exe

pid	process
1768	CG_LOADER.EXE
1248	chrome.exe
1956	chrome.exe
1956	chrome.exe
2660	chrome.exe
2792	chrome.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exemsdcsc.exeCG_LOADER.EXE

description	pid	process
Token: SeIncreaseQuotaPrivilege	1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe
Token: SeSecurityPrivilege	1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe
Token: SeTakeOwnershipPrivilege	1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe
Token: SeLoadDriverPrivilege	1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe
Token: SeSystemProfilePrivilege	1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe
Token: SeSystemtimePrivilege	1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe
Token: SeProfSingleProcessPrivilege	1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe
Token: SeIncBasePriorityPrivilege	1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe
Token: SeCreatePagefilePrivilege	1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe
Token: SeBackupPrivilege	1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe
Token: SeRestorePrivilege	1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe
Token: SeShutdownPrivilege	1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe
Token: SeDebugPrivilege	1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe
Token: SeSystemEnvironmentPrivilege	1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe
Token: SeChangeNotifyPrivilege	1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe
Token: SeRemoteShutdownPrivilege	1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe
Token: SeUndockPrivilege	1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe
Token: SeManageVolumePrivilege	1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe
Token: SeImpersonatePrivilege	1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe
Token: SeCreateGlobalPrivilege	1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe
Token: 33	1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe
Token: 34	1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe
Token: 35	1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe
Token: SeIncreaseQuotaPrivilege	2012	msdcsc.exe
Token: SeSecurityPrivilege	2012	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2012	msdcsc.exe
Token: SeLoadDriverPrivilege	2012	msdcsc.exe
Token: SeSystemProfilePrivilege	2012	msdcsc.exe
Token: SeSystemtimePrivilege	2012	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2012	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2012	msdcsc.exe
Token: SeCreatePagefilePrivilege	2012	msdcsc.exe
Token: SeBackupPrivilege	2012	msdcsc.exe
Token: SeRestorePrivilege	2012	msdcsc.exe
Token: SeShutdownPrivilege	2012	msdcsc.exe
Token: SeDebugPrivilege	2012	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2012	msdcsc.exe
Token: SeChangeNotifyPrivilege	2012	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2012	msdcsc.exe
Token: SeUndockPrivilege	2012	msdcsc.exe
Token: SeManageVolumePrivilege	2012	msdcsc.exe
Token: SeImpersonatePrivilege	2012	msdcsc.exe
Token: SeCreateGlobalPrivilege	2012	msdcsc.exe
Token: 33	2012	msdcsc.exe
Token: 34	2012	msdcsc.exe
Token: 35	2012	msdcsc.exe
Token: SeDebugPrivilege	1768	CG_LOADER.EXE

Suspicious use of FindShellTrayWindow 59 IoCs

Processes:

chrome.exe

pid	process
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

chrome.exe

pid	process
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

msdcsc.exechrome.exe

pid process

2012 msdcsc.exe
2660 chrome.exe

pid	process
2012	msdcsc.exe
2660	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.execmd.exemsdcsc.exechrome.exe

description	pid	process	target process
PID 1948 wrote to memory of 1828	1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe	cmd.exe
PID 1948 wrote to memory of 1828	1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe	cmd.exe
PID 1948 wrote to memory of 1828	1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe	cmd.exe
PID 1948 wrote to memory of 1828	1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe	cmd.exe
PID 1828 wrote to memory of 1752	1828	cmd.exe	attrib.exe
PID 1828 wrote to memory of 1752	1828	cmd.exe	attrib.exe
PID 1828 wrote to memory of 1752	1828	cmd.exe	attrib.exe
PID 1828 wrote to memory of 1752	1828	cmd.exe	attrib.exe
PID 1948 wrote to memory of 1768	1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe	CG_LOADER.EXE
PID 1948 wrote to memory of 1768	1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe	CG_LOADER.EXE
PID 1948 wrote to memory of 1768	1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe	CG_LOADER.EXE
PID 1948 wrote to memory of 1768	1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe	CG_LOADER.EXE
PID 1948 wrote to memory of 2012	1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe	msdcsc.exe
PID 1948 wrote to memory of 2012	1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe	msdcsc.exe
PID 1948 wrote to memory of 2012	1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe	msdcsc.exe
PID 1948 wrote to memory of 2012	1948	cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe	msdcsc.exe
PID 2012 wrote to memory of 1416	2012	msdcsc.exe	notepad.exe
PID 2012 wrote to memory of 1416	2012	msdcsc.exe	notepad.exe
PID 2012 wrote to memory of 1416	2012	msdcsc.exe	notepad.exe
PID 2012 wrote to memory of 1416	2012	msdcsc.exe	notepad.exe
PID 2012 wrote to memory of 1416	2012	msdcsc.exe	notepad.exe
PID 2012 wrote to memory of 1416	2012	msdcsc.exe	notepad.exe
PID 2012 wrote to memory of 1416	2012	msdcsc.exe	notepad.exe
PID 2012 wrote to memory of 1416	2012	msdcsc.exe	notepad.exe
PID 2012 wrote to memory of 1416	2012	msdcsc.exe	notepad.exe
PID 2012 wrote to memory of 1416	2012	msdcsc.exe	notepad.exe
PID 2012 wrote to memory of 1416	2012	msdcsc.exe	notepad.exe
PID 2012 wrote to memory of 1416	2012	msdcsc.exe	notepad.exe
PID 2012 wrote to memory of 1416	2012	msdcsc.exe	notepad.exe
PID 2012 wrote to memory of 1416	2012	msdcsc.exe	notepad.exe
PID 2012 wrote to memory of 1416	2012	msdcsc.exe	notepad.exe
PID 2012 wrote to memory of 1416	2012	msdcsc.exe	notepad.exe
PID 2012 wrote to memory of 1416	2012	msdcsc.exe	notepad.exe
PID 2012 wrote to memory of 1416	2012	msdcsc.exe	notepad.exe
PID 2012 wrote to memory of 1416	2012	msdcsc.exe	notepad.exe
PID 2012 wrote to memory of 1416	2012	msdcsc.exe	notepad.exe
PID 2012 wrote to memory of 1416	2012	msdcsc.exe	notepad.exe
PID 2012 wrote to memory of 1416	2012	msdcsc.exe	notepad.exe
PID 2012 wrote to memory of 1416	2012	msdcsc.exe	notepad.exe
PID 2012 wrote to memory of 1004	2012	msdcsc.exe	cmd.exe
PID 2012 wrote to memory of 1004	2012	msdcsc.exe	cmd.exe
PID 2012 wrote to memory of 1004	2012	msdcsc.exe	cmd.exe
PID 2012 wrote to memory of 1004	2012	msdcsc.exe	cmd.exe
PID 1956 wrote to memory of 672	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 672	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 672	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1964	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1964	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1964	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1964	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1964	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1964	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1964	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1964	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1964	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1964	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1964	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1964	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1964	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1964	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1964	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1964	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1964	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1964	1956	chrome.exe	chrome.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

Processes:

msdcsc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	msdcsc.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1752 attrib.exe

pid	process
1752	attrib.exe

C:\Users\Admin\AppData\Local\Temp\cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe
"C:\Users\Admin\AppData\Local\Temp\cfcec6c8cf70f706967aa83596fa301a86685059869e6d5183cd1a6ebd8ef429.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1752

C:\Users\Admin\AppData\Local\Temp\CG_LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\CG_LOADER.EXE"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
2⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2012

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:1416

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:1004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef65c4f50,0x7fef65c4f60,0x7fef65c4f70
2⤵
PID:672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1028,11429426113943059342,13294453797096719691,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1044 /prefetch:2
2⤵
PID:1964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1028,11429426113943059342,13294453797096719691,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1364 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1028,11429426113943059342,13294453797096719691,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1732 /prefetch:8
2⤵
PID:628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,11429426113943059342,13294453797096719691,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2036 /prefetch:1
2⤵
PID:1792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,11429426113943059342,13294453797096719691,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2024 /prefetch:1
2⤵
PID:1788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1028,11429426113943059342,13294453797096719691,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
2⤵
PID:1508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1028,11429426113943059342,13294453797096719691,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2788 /prefetch:2
2⤵
PID:576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,11429426113943059342,13294453797096719691,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
2⤵
PID:2000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1028,11429426113943059342,13294453797096719691,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3400 /prefetch:8
2⤵
PID:2076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1028,11429426113943059342,13294453797096719691,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3656 /prefetch:8
2⤵
PID:2084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1028,11429426113943059342,13294453797096719691,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3672 /prefetch:8
2⤵
PID:2152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1028,11429426113943059342,13294453797096719691,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3688 /prefetch:8
2⤵
PID:2160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1028,11429426113943059342,13294453797096719691,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3708 /prefetch:8
2⤵
PID:2168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1028,11429426113943059342,13294453797096719691,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3712 /prefetch:8
2⤵
PID:2176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1028,11429426113943059342,13294453797096719691,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3596 /prefetch:8
2⤵
PID:2300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,11429426113943059342,13294453797096719691,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3772 /prefetch:1
2⤵
PID:2340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,11429426113943059342,13294453797096719691,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2136 /prefetch:1
2⤵
PID:2404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,11429426113943059342,13294453797096719691,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1796 /prefetch:1
2⤵
PID:2500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1028,11429426113943059342,13294453797096719691,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4280 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1028,11429426113943059342,13294453797096719691,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4532 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1028,11429426113943059342,13294453797096719691,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=780 /prefetch:8
2⤵
PID:2924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

6

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Query Registry