94587b41a0eb5e2c592976fa283b0bfc0ef2e2c5cec24bba298cda0eb67270de

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}\ = "Chromnius"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}\StubPath = "\"C:\\Program Files\\Chromnius\\Application\\118.0.5951.0\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}\Localized Name = "Chromnius"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}\IsInstalled = "1"	setup.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	chromnius.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	chromnius.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	chromnius.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	chromnius.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	chromnius.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	chromnius.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	chromnius.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	chromnius.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	chromnius.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	chromnius.exe

Executes dropped EXE 38 IoCs

pid	Process
3696	browser.data
1852	setup.exe
4092	setup.exe
3616	setup.exe
4812	setup.exe
2120	chromnius.exe
3612	chromnius.exe
832	chromnius.exe
4340	chromnius.exe
3812	chromnius.exe
2404	chromnius.exe
808	chromnius.exe
5004	chromnius.exe
3200	chromnius.exe
700	chromnius.exe
1704	chromnius.exe
1724	chromnius.exe
4656	chromnius.exe
3436	chromnius.exe
3372	chromnius.exe
2836	chromnius.exe
1324	chromnius.exe
1864	chromnius.exe
4916	chromnius.exe
1208	chromnius.exe
3776	chromnius.exe
2396	chromnius.exe
740	chromnius.exe
4996	chromnius.exe
3612	chromnius.exe
4060	chromnius.exe
4236	chromnius.exe
1416	chromnius.exe
2344	chromnius.exe
4564	chromnius.exe
3100	chromnius.exe
4516	chromnius.exe
3812	chromnius.exe

Loads dropped DLL 64 IoCs

pid	Process
5080	MsiExec.exe
5080	MsiExec.exe
5080	MsiExec.exe
5080	MsiExec.exe
5080	MsiExec.exe
5080	MsiExec.exe
5080	MsiExec.exe
5080	MsiExec.exe
5080	MsiExec.exe
5080	MsiExec.exe
5080	MsiExec.exe
5080	MsiExec.exe
5080	MsiExec.exe
5080	MsiExec.exe
3388	MsiExec.exe
3388	MsiExec.exe
3388	MsiExec.exe
3388	MsiExec.exe
3388	MsiExec.exe
2184	MsiExec.exe
2120	chromnius.exe
3612	chromnius.exe
832	chromnius.exe
2120	chromnius.exe
4340	chromnius.exe
3812	chromnius.exe
2404	chromnius.exe
808	chromnius.exe
5004	chromnius.exe
3200	chromnius.exe
700	chromnius.exe
1704	chromnius.exe
1724	chromnius.exe
4656	chromnius.exe
3436	chromnius.exe
1104	taskmgr.exe
3372	chromnius.exe
1104	taskmgr.exe
1104	taskmgr.exe
2836	chromnius.exe
1324	chromnius.exe
2836	chromnius.exe
4916	chromnius.exe
4916	chromnius.exe
1864	chromnius.exe
1208	chromnius.exe
1864	chromnius.exe
1208	chromnius.exe
1864	chromnius.exe
1864	chromnius.exe
1864	chromnius.exe
3776	chromnius.exe
3776	chromnius.exe
1864	chromnius.exe
2396	chromnius.exe
2396	chromnius.exe
740	chromnius.exe
740	chromnius.exe
4996	chromnius.exe
3612	chromnius.exe
4996	chromnius.exe
3612	chromnius.exe
4060	chromnius.exe
4060	chromnius.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{635EFA6F-08D6-4EC9-BD14-8A0FDE975159}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{635EFA6F-08D6-4EC9-BD14-8A0FDE975159}\LocalServer32\ = "\"C:\\Program Files\\Chromnius\\Application\\118.0.5951.0\\notification_helper.exe\""	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{635EFA6F-08D6-4EC9-BD14-8A0FDE975159}\LocalServer32\ServerExecutable = "C:\\Program Files\\Chromnius\\Application\\118.0.5951.0\\notification_helper.exe"	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\S:	Setup.exe
File opened (read-only)	\??\V:	Setup.exe
File opened (read-only)	\??\X:	Setup.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	Setup.exe
File opened (read-only)	\??\H:	Setup.exe
File opened (read-only)	\??\O:	Setup.exe
File opened (read-only)	\??\P:	Setup.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	Setup.exe
File opened (read-only)	\??\R:	Setup.exe
File opened (read-only)	\??\B:	Setup.exe
File opened (read-only)	\??\E:	Setup.exe
File opened (read-only)	\??\R:	Setup.exe
File opened (read-only)	\??\S:	Setup.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	Setup.exe
File opened (read-only)	\??\Z:	Setup.exe
File opened (read-only)	\??\G:	Setup.exe
File opened (read-only)	\??\N:	Setup.exe
File opened (read-only)	\??\Q:	Setup.exe
File opened (read-only)	\??\Y:	Setup.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	Setup.exe
File opened (read-only)	\??\J:	Setup.exe
File opened (read-only)	\??\U:	Setup.exe
File opened (read-only)	\??\V:	Setup.exe
File opened (read-only)	\??\J:	Setup.exe
File opened (read-only)	\??\K:	Setup.exe
File opened (read-only)	\??\L:	Setup.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	Setup.exe
File opened (read-only)	\??\L:	Setup.exe
File opened (read-only)	\??\M:	Setup.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	Setup.exe
File opened (read-only)	\??\E:	Setup.exe
File opened (read-only)	\??\Y:	Setup.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	Setup.exe
File opened (read-only)	\??\Q:	Setup.exe
File opened (read-only)	\??\K:	Setup.exe
File opened (read-only)	\??\T:	Setup.exe
File opened (read-only)	\??\W:	Setup.exe
File opened (read-only)	\??\W:	Setup.exe
File opened (read-only)	\??\H:	Setup.exe
File opened (read-only)	\??\Z:	Setup.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	Setup.exe
File opened (read-only)	\??\A:	Setup.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\taskschd.msc	mmc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\chrome.VisualElementsManifest.xml	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\chrome_wer.dll	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\eventlog_provider.dll	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\el.pak	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\es-419.pak	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\it.pak	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\sr.pak	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\vk_swiftshader_icd.json	setup.exe
File opened for modification	C:\Program Files\Chromnius\Application\SetupMetrics\20231010193900.pma	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\118.0.5951.0.manifest	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\chrome_elf.dll	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Extensions\external_extensions.json	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\da.pak	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\kn.pak	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\ko.pak	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\notification_helper.exe	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\de.pak	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\gu.pak	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\hu.pak	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\nl.pak	setup.exe
File created	C:\Program Files\Chromnius\Application\118.0.5951.0\Installer\chrmstp.exe	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\ar.pak	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\lt.pak	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\MEIPreload\manifest.json	setup.exe
File opened for modification	C:\Program Files\Chromnius\Application\debug.log	chromnius.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\ru.pak	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\VisualElements\SmallLogo.png	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\chromnius.exe	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\ca.pak	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\fil.pak	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\pt-PT.pak	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\sw.pak	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\te.pak	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\th.pak	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\vk_swiftshader.dll	setup.exe
File created	C:\Program Files\Chromnius\Application\chromnius.exe	setup.exe
File opened for modification	C:\Program Files\Chromnius\Application\SetupMetrics\20231010193900.pma	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\en-GB.pak	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\es.pak	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\hi.pak	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\ta.pak	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\zh-TW.pak	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\chrome_proxy.exe	setup.exe
File opened for modification	C:\Program Files\Chromnius\Application\chromnius.exe	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\libGLESv2.dll	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\lv.pak	setup.exe
File created	C:\Program Files\Chromnius\Application\118.0.5951.0\Installer\setup.exe	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\chrome.dll	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\bn.pak	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\en-US.pak	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\fa.pak	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\nb.pak	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\pl.pak	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\zh-CN.pak	setup.exe
File opened for modification	C:\Program Files\Chromnius\Application\SetupMetrics\6f532625-dc61-4354-9b96-1e4c47df03b5.tmp	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\chrome_200_percent.pak	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\ml.pak	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\MEIPreload\preloaded_data.pb	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\mojo_core.dll	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\chrome.7z	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\sl.pak	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\uk.pak	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\vi.pak	setup.exe
File created	C:\Program Files\Chromnius\Temp\source1852_1027834834\Chrome-bin\118.0.5951.0\Locales\am.pak	setup.exe

Drops file in Windows directory 24 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{419A8FA6-AC6C-4F9F-8D6F-9E6BD143F1FD}	msiexec.exe
File opened for modification	C:\Windows\SystemTemp	chromnius.exe
File created	C:\Windows\Installer\e588cca.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI91FD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9317.tmp	msiexec.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File created	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\Installer\e588cca.msi	msiexec.exe
File created	C:\Windows\SystemTemp\scr9EDD.txt	MsiExec.exe
File created	C:\Windows\SystemTemp\msi9EDB.txt	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSI9460.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\scr9EDC.ps1	MsiExec.exe
File opened for modification	C:\Windows\SystemTemp\pss9EEF.ps1	MsiExec.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\Installer\MSI8F6A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9046.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9730.tmp	msiexec.exe
File opened for modification	C:\Windows\SystemTemp\Pro9EFF.tmp	MsiExec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI90F2.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 11 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000002d5e0d994d17e0d40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800002d5e0d990000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809002d5e0d99000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d2d5e0d99000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000002d5e0d9900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chromnius.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chromnius.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chromnius.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chromnius.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chromnius.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chromnius.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4664	taskkill.exe

Modifies data under HKEY_USERS 47 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chromnius.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133414404882849337"	chromnius.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{635EFA6F-08D6-4EC9-BD14-8A0FDE975159}\LocalServer32\ServerExecutable = "C:\\Program Files\\Chromnius\\Application\\118.0.5951.0\\notification_helper.exe"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\{D133B120-6DB4-4D6B-8BFE-83BF8CA1B1B0}	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ChromniusHTM	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ChromniusHTM\shell\open	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.html\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pdf\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.shtml\OpenWithProgids\ChromniusHTM	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B88C45B9-8825-4629-B83E-77CC67D9CEED}\1.0\0\win64\ = "C:\\Program Files\\Chromnius\\Application\\118.0.5951.0\\elevation_service.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromniusHTM\DefaultIcon\ = "C:\\Program Files\\Chromnius\\Application\\chromnius.exe,0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromniusHTM\AppUserModelId = "Chromnius"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromniusHTM\shell\open\command\ = "\"C:\\Program Files\\Chromnius\\Application\\chromnius.exe\" --single-argument %1"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithProgIds\ChromniusHTM	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.shtml	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{B88C45B9-8825-4629-B83E-77CC67D9CEED}	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ChromniusHTM\Application	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.webp	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.webp\OpenWithProgids\ChromniusHTM	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{D133B120-6DB4-4D6B-8BFE-83BF8CA1B1B0}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D133B120-6DB4-4D6B-8BFE-83BF8CA1B1B0}\AppID = "{D133B120-6DB4-4D6B-8BFE-83BF8CA1B1B0}"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B88C45B9-8825-4629-B83E-77CC67D9CEED}\1.0\0\win64	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromniusHTM\Application\ApplicationDescription = "Access the Internet"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xht\OpenWithProgIds\ChromniusHTM	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{B88C45B9-8825-4629-B83E-77CC67D9CEED}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B88C45B9-8825-4629-B83E-77CC67D9CEED}	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.html	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.shtml\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xht\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pdf	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{635EFA6F-08D6-4EC9-BD14-8A0FDE975159}	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B88C45B9-8825-4629-B83E-77CC67D9CEED}\1.0\0\win32	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.htm	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xhtml\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.svg	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xht	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromniusHTM\ = "Chromnius HTML Document"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromniusHTM\Application\AppUserModelId = "Chromnius"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromniusHTM\Application\ApplicationName = "Chromnius"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\OpenWithProgids\ChromniusHTM	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{635EFA6F-08D6-4EC9-BD14-8A0FDE975159}\LocalServer32\ = "\"C:\\Program Files\\Chromnius\\Application\\118.0.5951.0\\notification_helper.exe\""	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B88C45B9-8825-4629-B83E-77CC67D9CEED}\1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.svg\OpenWithProgIds\ChromniusHTM	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xhtml\OpenWithProgIds\ChromniusHTM	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.webp\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B88C45B9-8825-4629-B83E-77CC67D9CEED}\1.0\0	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ChromniusHTM\shell	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ChromniusHTM\shell\open\command	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xhtml	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B88C45B9-8825-4629-B83E-77CC67D9CEED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{B88C45B9-8825-4629-B83E-77CC67D9CEED}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B88C45B9-8825-4629-B83E-77CC67D9CEED}\1.0\0\win32\ = "C:\\Program Files\\Chromnius\\Application\\118.0.5951.0\\elevation_service.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromniusHTM\Application\ApplicationIcon = "C:\\Program Files\\Chromnius\\Application\\chromnius.exe,0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.html\OpenWithProgIds\ChromniusHTM	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.svg\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{635EFA6F-08D6-4EC9-BD14-8A0FDE975159}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D133B120-6DB4-4D6B-8BFE-83BF8CA1B1B0}\LocalService = "ChromniusElevationService"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B88C45B9-8825-4629-B83E-77CC67D9CEED}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B88C45B9-8825-4629-B83E-77CC67D9CEED}\TypeLib\ = "{B88C45B9-8825-4629-B83E-77CC67D9CEED}"	setup.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 5c000000010000000400000000100000190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd0300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd17e00000001000000080000000080c82b6886d7017a000000010000000c000000300a06082b060105050703091d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a07f0000000100000016000000301406082b0601050507030306082b060105050703096200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf690b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520036000000090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff10400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 0400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd1190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	Setup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
436	msiexec.exe
436	msiexec.exe
5064	powershell.exe
5064	powershell.exe
5064	powershell.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2112	mmc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	436	msiexec.exe
Token: SeCreateTokenPrivilege	4788	Setup.exe
Token: SeAssignPrimaryTokenPrivilege	4788	Setup.exe
Token: SeLockMemoryPrivilege	4788	Setup.exe
Token: SeIncreaseQuotaPrivilege	4788	Setup.exe
Token: SeMachineAccountPrivilege	4788	Setup.exe
Token: SeTcbPrivilege	4788	Setup.exe
Token: SeSecurityPrivilege	4788	Setup.exe
Token: SeTakeOwnershipPrivilege	4788	Setup.exe
Token: SeLoadDriverPrivilege	4788	Setup.exe
Token: SeSystemProfilePrivilege	4788	Setup.exe
Token: SeSystemtimePrivilege	4788	Setup.exe
Token: SeProfSingleProcessPrivilege	4788	Setup.exe
Token: SeIncBasePriorityPrivilege	4788	Setup.exe
Token: SeCreatePagefilePrivilege	4788	Setup.exe
Token: SeCreatePermanentPrivilege	4788	Setup.exe
Token: SeBackupPrivilege	4788	Setup.exe
Token: SeRestorePrivilege	4788	Setup.exe
Token: SeShutdownPrivilege	4788	Setup.exe
Token: SeDebugPrivilege	4788	Setup.exe
Token: SeAuditPrivilege	4788	Setup.exe
Token: SeSystemEnvironmentPrivilege	4788	Setup.exe
Token: SeChangeNotifyPrivilege	4788	Setup.exe
Token: SeRemoteShutdownPrivilege	4788	Setup.exe
Token: SeUndockPrivilege	4788	Setup.exe
Token: SeSyncAgentPrivilege	4788	Setup.exe
Token: SeEnableDelegationPrivilege	4788	Setup.exe
Token: SeManageVolumePrivilege	4788	Setup.exe
Token: SeImpersonatePrivilege	4788	Setup.exe
Token: SeCreateGlobalPrivilege	4788	Setup.exe
Token: SeCreateTokenPrivilege	4788	Setup.exe
Token: SeAssignPrimaryTokenPrivilege	4788	Setup.exe
Token: SeLockMemoryPrivilege	4788	Setup.exe
Token: SeIncreaseQuotaPrivilege	4788	Setup.exe
Token: SeMachineAccountPrivilege	4788	Setup.exe
Token: SeTcbPrivilege	4788	Setup.exe
Token: SeSecurityPrivilege	4788	Setup.exe
Token: SeTakeOwnershipPrivilege	4788	Setup.exe
Token: SeLoadDriverPrivilege	4788	Setup.exe
Token: SeSystemProfilePrivilege	4788	Setup.exe
Token: SeSystemtimePrivilege	4788	Setup.exe
Token: SeProfSingleProcessPrivilege	4788	Setup.exe
Token: SeIncBasePriorityPrivilege	4788	Setup.exe
Token: SeCreatePagefilePrivilege	4788	Setup.exe
Token: SeCreatePermanentPrivilege	4788	Setup.exe
Token: SeBackupPrivilege	4788	Setup.exe
Token: SeRestorePrivilege	4788	Setup.exe
Token: SeShutdownPrivilege	4788	Setup.exe
Token: SeDebugPrivilege	4788	Setup.exe
Token: SeAuditPrivilege	4788	Setup.exe
Token: SeSystemEnvironmentPrivilege	4788	Setup.exe
Token: SeChangeNotifyPrivilege	4788	Setup.exe
Token: SeRemoteShutdownPrivilege	4788	Setup.exe
Token: SeUndockPrivilege	4788	Setup.exe
Token: SeSyncAgentPrivilege	4788	Setup.exe
Token: SeEnableDelegationPrivilege	4788	Setup.exe
Token: SeManageVolumePrivilege	4788	Setup.exe
Token: SeImpersonatePrivilege	4788	Setup.exe
Token: SeCreateGlobalPrivilege	4788	Setup.exe
Token: SeCreateTokenPrivilege	4788	Setup.exe
Token: SeAssignPrimaryTokenPrivilege	4788	Setup.exe
Token: SeLockMemoryPrivilege	4788	Setup.exe
Token: SeIncreaseQuotaPrivilege	4788	Setup.exe
Token: SeMachineAccountPrivilege	4788	Setup.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4788	Setup.exe
4788	Setup.exe
3616	setup.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
4452	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe
1104	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2112	mmc.exe
2112	mmc.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe
2836	chromnius.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 5080	436	msiexec.exe	89
PID 436 wrote to memory of 5080	436	msiexec.exe	89
PID 436 wrote to memory of 5080	436	msiexec.exe	89
PID 4788 wrote to memory of 2136	4788	Setup.exe	92
PID 4788 wrote to memory of 2136	4788	Setup.exe	92
PID 4788 wrote to memory of 2136	4788	Setup.exe	92
PID 436 wrote to memory of 2692	436	msiexec.exe	101
PID 436 wrote to memory of 2692	436	msiexec.exe	101
PID 436 wrote to memory of 3388	436	msiexec.exe	103
PID 436 wrote to memory of 3388	436	msiexec.exe	103
PID 436 wrote to memory of 3388	436	msiexec.exe	103
PID 436 wrote to memory of 2184	436	msiexec.exe	104
PID 436 wrote to memory of 2184	436	msiexec.exe	104
PID 436 wrote to memory of 2184	436	msiexec.exe	104
PID 2184 wrote to memory of 5064	2184	MsiExec.exe	106
PID 2184 wrote to memory of 5064	2184	MsiExec.exe	106
PID 436 wrote to memory of 3696	436	msiexec.exe	111
PID 436 wrote to memory of 3696	436	msiexec.exe	111
PID 3696 wrote to memory of 1852	3696	browser.data	113
PID 3696 wrote to memory of 1852	3696	browser.data	113
PID 1852 wrote to memory of 4092	1852	setup.exe	114
PID 1852 wrote to memory of 4092	1852	setup.exe	114
PID 1852 wrote to memory of 3616	1852	setup.exe	116
PID 1852 wrote to memory of 3616	1852	setup.exe	116
PID 3616 wrote to memory of 4812	3616	setup.exe	117
PID 3616 wrote to memory of 4812	3616	setup.exe	117
PID 1852 wrote to memory of 2120	1852	setup.exe	119
PID 1852 wrote to memory of 2120	1852	setup.exe	119
PID 2120 wrote to memory of 3612	2120	chromnius.exe	120
PID 2120 wrote to memory of 3612	2120	chromnius.exe	120
PID 3612 wrote to memory of 832	3612	chromnius.exe	121
PID 3612 wrote to memory of 832	3612	chromnius.exe	121
PID 2120 wrote to memory of 4340	2120	chromnius.exe	123
PID 2120 wrote to memory of 4340	2120	chromnius.exe	123
PID 2120 wrote to memory of 4340	2120	chromnius.exe	123
PID 2120 wrote to memory of 4340	2120	chromnius.exe	123
PID 2120 wrote to memory of 4340	2120	chromnius.exe	123
PID 2120 wrote to memory of 4340	2120	chromnius.exe	123
PID 2120 wrote to memory of 4340	2120	chromnius.exe	123
PID 2120 wrote to memory of 4340	2120	chromnius.exe	123
PID 2120 wrote to memory of 4340	2120	chromnius.exe	123
PID 2120 wrote to memory of 4340	2120	chromnius.exe	123
PID 2120 wrote to memory of 4340	2120	chromnius.exe	123
PID 2120 wrote to memory of 4340	2120	chromnius.exe	123
PID 2120 wrote to memory of 4340	2120	chromnius.exe	123
PID 2120 wrote to memory of 4340	2120	chromnius.exe	123
PID 2120 wrote to memory of 4340	2120	chromnius.exe	123
PID 2120 wrote to memory of 4340	2120	chromnius.exe	123
PID 2120 wrote to memory of 4340	2120	chromnius.exe	123
PID 2120 wrote to memory of 4340	2120	chromnius.exe	123
PID 2120 wrote to memory of 4340	2120	chromnius.exe	123
PID 2120 wrote to memory of 4340	2120	chromnius.exe	123
PID 2120 wrote to memory of 4340	2120	chromnius.exe	123
PID 2120 wrote to memory of 4340	2120	chromnius.exe	123
PID 2120 wrote to memory of 4340	2120	chromnius.exe	123
PID 2120 wrote to memory of 4340	2120	chromnius.exe	123
PID 2120 wrote to memory of 4340	2120	chromnius.exe	123
PID 2120 wrote to memory of 4340	2120	chromnius.exe	123
PID 2120 wrote to memory of 4340	2120	chromnius.exe	123
PID 2120 wrote to memory of 4340	2120	chromnius.exe	123
PID 2120 wrote to memory of 4340	2120	chromnius.exe	123
PID 2120 wrote to memory of 4340	2120	chromnius.exe	123
PID 2120 wrote to memory of 3812	2120	chromnius.exe	124
PID 2120 wrote to memory of 3812	2120	chromnius.exe	124

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe" /i C:\Users\Admin\AppData\Local\Temp\{419A8FA6-AC6C-4F9F-8D6F-9E6BD143F1FD}\ChromniusPublic.msi AI_EUIMSI=1 APPDIR="C:\Program Files\Chromnius Browser" SECONDSEQUENCE="1" CLIENTPROCESSID="4788" CHAINERUIPROCESSID="4788Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" ALLUSERS="1" PRIMARYFOLDER="APPDIR" ROOTDRIVE="F:\" AI_DETECTED_INTERNET_CONNECTION="1" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\Setup.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1696726014 " TARGETDIR="F:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\AppData\Local\Temp\Setup.exe" AI_INSTALL="1"
  2⤵
  - Enumerates connected drives
  - Modifies system certificate store
  PID:2136

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:436
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2E92B70BDCC35C1A87C122B5D6FE30C5 C
  2⤵
  - Loads dropped DLL
  PID:5080
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2692
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 868753CE482FA2902E1C11C062E8FCCA
  2⤵
  - Loads dropped DLL
  PID:3388
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DBB3A66D4C38280250834B303318917F E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Windows\SystemTemp\pss9EEF.ps1" -propFile "C:\Windows\SystemTemp\msi9EDB.txt" -scriptFile "C:\Windows\SystemTemp\scr9EDC.ps1" -scriptArgsFile "C:\Windows\SystemTemp\scr9EDD.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Blocklisted process makes network request
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:5064
- C:\Users\Admin\AppData\Local\Temp\browser.data
  "C:\Users\Admin\AppData\Local\Temp\\browser.data" --system-level
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3696
- - C:\Users\Admin\AppData\Local\Temp\CR_3D5DE.tmp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\CR_3D5DE.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\Temp\CR_3D5DE.tmp\CHROME.PACKED.7Z" --system-level
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Registers COM server for autorun
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1852
  - - C:\Users\Admin\AppData\Local\Temp\CR_3D5DE.tmp\setup.exe
      C:\Users\Admin\AppData\Local\Temp\CR_3D5DE.tmp\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --annotation=plat=Win64 --annotation=prod=Chromnius --annotation=ver=118.0.5951.0 --initial-client-data=0x258,0x25c,0x260,0x234,0x264,0x7ff7bedf9970,0x7ff7bedf9980,0x7ff7bedf9990
      4⤵
      Executes dropped EXE
      PID:4092
  - - C:\Users\Admin\AppData\Local\Temp\CR_3D5DE.tmp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\CR_3D5DE.tmp\setup.exe" --system-level --verbose-logging --create-shortcuts=0 --install-level=1
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3616
    - - C:\Users\Admin\AppData\Local\Temp\CR_3D5DE.tmp\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\CR_3D5DE.tmp\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --annotation=plat=Win64 --annotation=prod=Chromnius --annotation=ver=118.0.5951.0 --initial-client-data=0x21c,0x220,0x224,0x44,0x228,0x7ff7bedf9970,0x7ff7bedf9980,0x7ff7bedf9990
        5⤵
        Executes dropped EXE
        
        PID:4812
  - - C:\Program Files\Chromnius\Application\chromnius.exe
      "C:\Program Files\Chromnius\Application\chromnius.exe" --from-installer
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Enumerates system info in registry
      Suspicious use of WriteProcessMemory
      PID:2120
    - - C:\Program Files\Chromnius\Application\chromnius.exe
        
        "C:\Program Files\Chromnius\Application\chromnius.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Chromnius\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Chromnius\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Chromnius\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Chromnius --annotation=ver=118.0.5951.0 --initial-client-data=0xf4,0xf8,0xfc,0xd0,0x100,0x7ffa726d87e0,0x7ffa726d87f0,0x7ffa726d8800
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3612
      - C:\Program Files\Chromnius\Application\chromnius.exe
        
        "C:\Program Files\Chromnius\Application\chromnius.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Chromnius\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Chromnius\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Chromnius --annotation=ver=118.0.5951.0 --initial-client-data=0x138,0x13c,0x140,0x114,0x144,0x7ff6cd9486a0,0x7ff6cd9486b0,0x7ff6cd9486c0
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:832
    - - C:\Program Files\Chromnius\Application\chromnius.exe
        
        "C:\Program Files\Chromnius\Application\chromnius.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1888 --field-trial-handle=1892,i,4992043807136775087,16130489108172368632,262144 /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4340
    - - C:\Program Files\Chromnius\Application\chromnius.exe
        
        "C:\Program Files\Chromnius\Application\chromnius.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --network-service-scheduler --start-stack-profiler --mojo-platform-channel-handle=1940 --field-trial-handle=1892,i,4992043807136775087,16130489108172368632,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3812
    - - C:\Program Files\Chromnius\Application\chromnius.exe
        
        "C:\Program Files\Chromnius\Application\chromnius.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2364 --field-trial-handle=1892,i,4992043807136775087,16130489108172368632,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2404
    - - C:\Program Files\Chromnius\Application\chromnius.exe
        
        "C:\Program Files\Chromnius\Application\chromnius.exe" --type=renderer --disable-nacl --first-renderer-process --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2868 --field-trial-handle=1892,i,4992043807136775087,16130489108172368632,262144 /prefetch:1
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5004
    - - C:\Program Files\Chromnius\Application\chromnius.exe
        
        "C:\Program Files\Chromnius\Application\chromnius.exe" --type=renderer --extension-process --disable-nacl --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2520 --field-trial-handle=1892,i,4992043807136775087,16130489108172368632,262144 /prefetch:1
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:808
    - - C:\Program Files\Chromnius\Application\chromnius.exe
        
        "C:\Program Files\Chromnius\Application\chromnius.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3748 --field-trial-handle=1892,i,4992043807136775087,16130489108172368632,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3200
    - - C:\Program Files\Chromnius\Application\chromnius.exe
        
        "C:\Program Files\Chromnius\Application\chromnius.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2384 --field-trial-handle=1892,i,4992043807136775087,16130489108172368632,262144 /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3372

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1200

C:\Program Files\Chromnius\Application\chromnius.exe
"C:\Program Files\Chromnius\Application\chromnius.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:700
- C:\Program Files\Chromnius\Application\chromnius.exe
  "C:\Program Files\Chromnius\Application\chromnius.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Chromnius\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Chromnius\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Chromnius\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Chromnius --annotation=ver=118.0.5951.0 --initial-client-data=0x114,0x118,0x11c,0xf0,0x120,0x7ffa726d87e0,0x7ffa726d87f0,0x7ffa726d8800
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1704
- - C:\Program Files\Chromnius\Application\chromnius.exe
    "C:\Program Files\Chromnius\Application\chromnius.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Chromnius\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Chromnius\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Chromnius --annotation=ver=118.0.5951.0 --initial-client-data=0x188,0x18c,0x190,0x140,0x19c,0x7ff6cd9486a0,0x7ff6cd9486b0,0x7ff6cd9486c0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1724

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4452

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2664

C:\Program Files\Chromnius\Application\chromnius.exe
"C:\Program Files\Chromnius\Application\chromnius.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4656
- C:\Program Files\Chromnius\Application\chromnius.exe
  "C:\Program Files\Chromnius\Application\chromnius.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Chromnius\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Chromnius\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Chromnius --annotation=ver=118.0.5951.0 --initial-client-data=0xf4,0xf8,0xfc,0xd4,0x100,0x7ffa726d87e0,0x7ffa726d87f0,0x7ffa726d8800
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3436

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc"
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2112

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1104

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:4848
- C:\Windows\system32\taskkill.exe
  taskkill /f /im chromnius.exe
  2⤵
  - Kills process with taskkill
  PID:4664

C:\Program Files\Chromnius\Application\chromnius.exe
"C:\Program Files\Chromnius\Application\chromnius.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2836
- C:\Program Files\Chromnius\Application\chromnius.exe
  "C:\Program Files\Chromnius\Application\chromnius.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Chromnius\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Chromnius\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Chromnius --annotation=ver=118.0.5951.0 --initial-client-data=0xf4,0xf8,0xfc,0xd0,0x100,0x7ffa727787e0,0x7ffa727787f0,0x7ffa72778800
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1324
- C:\Program Files\Chromnius\Application\chromnius.exe
  "C:\Program Files\Chromnius\Application\chromnius.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2036 --field-trial-handle=2040,i,15031621134052276106,17416839031313715899,262144 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1864
- C:\Program Files\Chromnius\Application\chromnius.exe
  "C:\Program Files\Chromnius\Application\chromnius.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --network-service-scheduler --start-stack-profiler --mojo-platform-channel-handle=2564 --field-trial-handle=2040,i,15031621134052276106,17416839031313715899,262144 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4916
- C:\Program Files\Chromnius\Application\chromnius.exe
  "C:\Program Files\Chromnius\Application\chromnius.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2064 --field-trial-handle=2040,i,15031621134052276106,17416839031313715899,262144 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1208
- C:\Program Files\Chromnius\Application\chromnius.exe
  "C:\Program Files\Chromnius\Application\chromnius.exe" --type=renderer --disable-nacl --start-stack-profiler --first-renderer-process --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2980 --field-trial-handle=2040,i,15031621134052276106,17416839031313715899,262144 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3776
- C:\Program Files\Chromnius\Application\chromnius.exe
  "C:\Program Files\Chromnius\Application\chromnius.exe" --type=renderer --disable-nacl --start-stack-profiler --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3156 --field-trial-handle=2040,i,15031621134052276106,17416839031313715899,262144 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2396
- C:\Program Files\Chromnius\Application\chromnius.exe
  "C:\Program Files\Chromnius\Application\chromnius.exe" --type=renderer --disable-nacl --start-stack-profiler --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4452 --field-trial-handle=2040,i,15031621134052276106,17416839031313715899,262144 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:740
- C:\Program Files\Chromnius\Application\chromnius.exe
  "C:\Program Files\Chromnius\Application\chromnius.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --mojo-platform-channel-handle=3972 --field-trial-handle=2040,i,15031621134052276106,17416839031313715899,262144 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4996
- C:\Program Files\Chromnius\Application\chromnius.exe
  "C:\Program Files\Chromnius\Application\chromnius.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --mojo-platform-channel-handle=4560 --field-trial-handle=2040,i,15031621134052276106,17416839031313715899,262144 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3612
- C:\Program Files\Chromnius\Application\chromnius.exe
  "C:\Program Files\Chromnius\Application\chromnius.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --mojo-platform-channel-handle=4984 --field-trial-handle=2040,i,15031621134052276106,17416839031313715899,262144 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4060
- C:\Program Files\Chromnius\Application\chromnius.exe
  "C:\Program Files\Chromnius\Application\chromnius.exe" --type=renderer --disable-nacl --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5312 --field-trial-handle=2040,i,15031621134052276106,17416839031313715899,262144 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4236
- C:\Program Files\Chromnius\Application\chromnius.exe
  "C:\Program Files\Chromnius\Application\chromnius.exe" --type=renderer --extension-process --disable-nacl --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5700 --field-trial-handle=2040,i,15031621134052276106,17416839031313715899,262144 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1416
- C:\Program Files\Chromnius\Application\chromnius.exe
  "C:\Program Files\Chromnius\Application\chromnius.exe" --type=renderer --disable-nacl --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3840 --field-trial-handle=2040,i,15031621134052276106,17416839031313715899,262144 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2344
- C:\Program Files\Chromnius\Application\chromnius.exe
  "C:\Program Files\Chromnius\Application\chromnius.exe" --type=renderer --disable-nacl --start-stack-profiler --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4640 --field-trial-handle=2040,i,15031621134052276106,17416839031313715899,262144 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4564
- C:\Program Files\Chromnius\Application\chromnius.exe
  "C:\Program Files\Chromnius\Application\chromnius.exe" --type=renderer --disable-nacl --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4532 --field-trial-handle=2040,i,15031621134052276106,17416839031313715899,262144 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3812
- C:\Program Files\Chromnius\Application\chromnius.exe
  "C:\Program Files\Chromnius\Application\chromnius.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --mojo-platform-channel-handle=4436 --field-trial-handle=2040,i,15031621134052276106,17416839031313715899,262144 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:3100
- C:\Program Files\Chromnius\Application\chromnius.exe
  "C:\Program Files\Chromnius\Application\chromnius.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --mojo-platform-channel-handle=5612 --field-trial-handle=2040,i,15031621134052276106,17416839031313715899,262144 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:4516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery