darkcomet | 8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ff

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\SYSTEM32\\SystemFile.exe"	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe

Modifies firewall policy service 3 TTPs 3 IoCs

Modify Registry

Windows Service

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	SystemFile.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	SystemFile.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	SystemFile.exe

Modifies security service 2 TTPs 1 IoCs

Modify Registry

Windows Service

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	SystemFile.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	SystemFile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	SystemFile.exe

Disables RegEdit via registry modification 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SystemFile.exe

Disables Task Manager via registry modification
evasion

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

Hidden Files and Directories

T1564.001

pid	Process
4112	attrib.exe
1232	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe

Deletes itself 1 IoCs

pid	Process
1248	notepad.exe

Executes dropped EXE 1 IoCs

pid	Process
4844	SystemFile.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	SystemFile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	SystemFile.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemFile = "C:\\Windows\\system32\\SYSTEM32\\SystemFile.exe"	SystemFile.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemFile = "C:\\Windows\\system32\\SYSTEM32\\SystemFile.exe"	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
22	2.tcp.eu.ngrok.io

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\SYSTEM32\SystemFile.exe	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM32\SystemFile.exe	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe
File opened for modification	C:\Windows\SysWOW64\SYSTEM32\	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SystemFile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3756129449-3121373848-4276368241-1000\{B793188A-844C-4480-9773-F68195AE77CB}	SystemFile.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	SystemFile.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3756129449-3121373848-4276368241-1000\{6924C6D8-B37B-4E74-AE1C-2FB366A929B2}	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4844	SystemFile.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe
Token: SeSecurityPrivilege	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe
Token: SeTakeOwnershipPrivilege	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe
Token: SeLoadDriverPrivilege	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe
Token: SeSystemProfilePrivilege	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe
Token: SeSystemtimePrivilege	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe
Token: SeProfSingleProcessPrivilege	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe
Token: SeIncBasePriorityPrivilege	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe
Token: SeCreatePagefilePrivilege	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe
Token: SeBackupPrivilege	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe
Token: SeRestorePrivilege	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe
Token: SeShutdownPrivilege	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe
Token: SeDebugPrivilege	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe
Token: SeSystemEnvironmentPrivilege	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe
Token: SeChangeNotifyPrivilege	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe
Token: SeRemoteShutdownPrivilege	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe
Token: SeUndockPrivilege	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe
Token: SeManageVolumePrivilege	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe
Token: SeImpersonatePrivilege	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe
Token: SeCreateGlobalPrivilege	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe
Token: 33	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe
Token: 34	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe
Token: 35	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe
Token: 36	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe
Token: SeIncreaseQuotaPrivilege	4844	SystemFile.exe
Token: SeSecurityPrivilege	4844	SystemFile.exe
Token: SeTakeOwnershipPrivilege	4844	SystemFile.exe
Token: SeLoadDriverPrivilege	4844	SystemFile.exe
Token: SeSystemProfilePrivilege	4844	SystemFile.exe
Token: SeSystemtimePrivilege	4844	SystemFile.exe
Token: SeProfSingleProcessPrivilege	4844	SystemFile.exe
Token: SeIncBasePriorityPrivilege	4844	SystemFile.exe
Token: SeCreatePagefilePrivilege	4844	SystemFile.exe
Token: SeBackupPrivilege	4844	SystemFile.exe
Token: SeRestorePrivilege	4844	SystemFile.exe
Token: SeShutdownPrivilege	4844	SystemFile.exe
Token: SeDebugPrivilege	4844	SystemFile.exe
Token: SeSystemEnvironmentPrivilege	4844	SystemFile.exe
Token: SeChangeNotifyPrivilege	4844	SystemFile.exe
Token: SeRemoteShutdownPrivilege	4844	SystemFile.exe
Token: SeUndockPrivilege	4844	SystemFile.exe
Token: SeManageVolumePrivilege	4844	SystemFile.exe
Token: SeImpersonatePrivilege	4844	SystemFile.exe
Token: SeCreateGlobalPrivilege	4844	SystemFile.exe
Token: 33	4844	SystemFile.exe
Token: 34	4844	SystemFile.exe
Token: 35	4844	SystemFile.exe
Token: 36	4844	SystemFile.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3272	OpenWith.exe
2480	OpenWith.exe
4844	SystemFile.exe

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 2892	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe	84
PID 5008 wrote to memory of 2892	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe	84
PID 5008 wrote to memory of 2892	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe	84
PID 5008 wrote to memory of 3120	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe	85
PID 5008 wrote to memory of 3120	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe	85
PID 5008 wrote to memory of 3120	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe	85
PID 2892 wrote to memory of 4112	2892	cmd.exe	89
PID 2892 wrote to memory of 4112	2892	cmd.exe	89
PID 2892 wrote to memory of 4112	2892	cmd.exe	89
PID 3120 wrote to memory of 1232	3120	cmd.exe	90
PID 3120 wrote to memory of 1232	3120	cmd.exe	90
PID 3120 wrote to memory of 1232	3120	cmd.exe	90
PID 5008 wrote to memory of 1248	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe	94
PID 5008 wrote to memory of 1248	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe	94
PID 5008 wrote to memory of 1248	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe	94
PID 5008 wrote to memory of 1248	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe	94
PID 5008 wrote to memory of 1248	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe	94
PID 5008 wrote to memory of 1248	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe	94
PID 5008 wrote to memory of 1248	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe	94
PID 5008 wrote to memory of 1248	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe	94
PID 5008 wrote to memory of 1248	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe	94
PID 5008 wrote to memory of 1248	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe	94
PID 5008 wrote to memory of 1248	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe	94
PID 5008 wrote to memory of 1248	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe	94
PID 5008 wrote to memory of 1248	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe	94
PID 5008 wrote to memory of 1248	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe	94
PID 5008 wrote to memory of 1248	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe	94
PID 5008 wrote to memory of 1248	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe	94
PID 5008 wrote to memory of 1248	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe	94
PID 5008 wrote to memory of 4844	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe	95
PID 5008 wrote to memory of 4844	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe	95
PID 5008 wrote to memory of 4844	5008	8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe	95
PID 4844 wrote to memory of 3464	4844	SystemFile.exe	97
PID 4844 wrote to memory of 3464	4844	SystemFile.exe	97
PID 4844 wrote to memory of 3464	4844	SystemFile.exe	97
PID 4844 wrote to memory of 1148	4844	SystemFile.exe	98
PID 4844 wrote to memory of 1148	4844	SystemFile.exe	98
PID 4844 wrote to memory of 372	4844	SystemFile.exe	99
PID 4844 wrote to memory of 372	4844	SystemFile.exe	99
PID 4844 wrote to memory of 372	4844	SystemFile.exe	99
PID 4844 wrote to memory of 372	4844	SystemFile.exe	99
PID 4844 wrote to memory of 372	4844	SystemFile.exe	99
PID 4844 wrote to memory of 372	4844	SystemFile.exe	99
PID 4844 wrote to memory of 372	4844	SystemFile.exe	99
PID 4844 wrote to memory of 372	4844	SystemFile.exe	99
PID 4844 wrote to memory of 372	4844	SystemFile.exe	99
PID 4844 wrote to memory of 372	4844	SystemFile.exe	99
PID 4844 wrote to memory of 372	4844	SystemFile.exe	99
PID 4844 wrote to memory of 372	4844	SystemFile.exe	99
PID 4844 wrote to memory of 372	4844	SystemFile.exe	99
PID 4844 wrote to memory of 372	4844	SystemFile.exe	99
PID 4844 wrote to memory of 372	4844	SystemFile.exe	99
PID 4844 wrote to memory of 372	4844	SystemFile.exe	99
PID 4844 wrote to memory of 372	4844	SystemFile.exe	99
PID 4844 wrote to memory of 372	4844	SystemFile.exe	99
PID 4844 wrote to memory of 372	4844	SystemFile.exe	99
PID 4844 wrote to memory of 372	4844	SystemFile.exe	99
PID 4844 wrote to memory of 372	4844	SystemFile.exe	99
PID 4844 wrote to memory of 372	4844	SystemFile.exe	99

System policy modification 1 TTPs 3 IoCs

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	SystemFile.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	SystemFile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	SystemFile.exe

Views/modifies file attributes 1 TTPs 2 IoCs

Hidden Files and Directories

T1564.001

pid	Process
4112	attrib.exe
1232	attrib.exe

C:\Users\Admin\AppData\Local\Temp\8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe
"C:\Users\Admin\AppData\Local\Temp\8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe" +s +h
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\8606debb563ac66cda022f4163339ecbcba4ef845d470cda68149fa2a88a05ffN.exe" +s +h
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:4112
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1232
- C:\Windows\SysWOW64\notepad.exe
  notepad
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1248
- C:\Windows\SysWOW64\SYSTEM32\SystemFile.exe
  "C:\Windows\system32\SYSTEM32\SystemFile.exe"
  2⤵
  - Modifies firewall policy service
  - Modifies security service
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Windows security modification
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4844
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:3464
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:1148
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    - System Location Discovery: System Language Discovery
    PID:372

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3272

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry