Malware Analysis Report

2024-07-28 05:33

Sample ID 240609-qbppcsbe58
Target chromeremotedesktophost.msi
SHA256 9cdd681fc86c1e816e652b0b5590d2e986b08bc26204e8048918a59c291051ce
Tags
execution
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

9cdd681fc86c1e816e652b0b5590d2e986b08bc26204e8048918a59c291051ce

Threat Level: Shows suspicious behavior

The file chromeremotedesktophost.msi was found to be: Shows suspicious behavior.

Malicious Activity Summary

execution

Enumerates connected drives

Blocklisted process makes network request

Loads dropped DLL

Drops file in Program Files directory

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-09 13:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 13:05

Reported

2024-06-09 13:44

Platform

win11-20240426-en

Max time kernel

459s

Max time network

1187s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\chromeremotedesktophost.msi

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\remoting_core.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\remoting_native_messaging_host.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\com.google.chrome.remote_desktop-firefox.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\remote_open_url.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\remoting_host.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\remoting_start_host.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\com.google.chrome.remote_assistance.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\com.google.chrome.remote_assistance-firefox.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\com.google.chrome.remote_desktop.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\icudtl.dat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\remote_security_key.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\remoting_desktop.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\com.google.chrome.remote_webauthn.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\CREDITS.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\remote_assistance_host.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\remote_assistance_host_uiaccess.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\remote_webauthn.exe C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI74E4.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7DD0.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e577282.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7475.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7542.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{EF2787B1-0F5C-449C-86FF-6F4D28DE3C46}\chromoting.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{EF2787B1-0F5C-449C-86FF-6F4D28DE3C46} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7455.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{EF2787B1-0F5C-449C-86FF-6F4D28DE3C46}\chromoting.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF2500AFA23002EB4B.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF184AD3BF3B6145AB.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\wix{EF2787B1-0F5C-449C-86FF-6F4D28DE3C46}.SchedServiceConfig.rmi C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Windows\SystemTemp\~DF6D01B86AA2D6D912.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e577280.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e577280.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF43132AE2CECCD72E.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI76DA.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7E5E.tmp C:\Windows\system32\msiexec.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000ac0d0bd70b51cb00000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000ac0d0bd0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809000ac0d0bd000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d0ac0d0bd000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000ac0d0bd00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Typelib C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3a22c946-f9f5-51e0-b7b1-ef8ea58a1f65} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6a7699f0-ee43-43e7-aa30-a6738f9bd470}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\125.0.6422.31\\remoting_core.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{655bd819-c08c-4b04-80c2-f160739ff6ef}\TypeLib\ = "{b6396c45-b0cc-456b-9f49-f12964ee6df4}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{e051a481-6345-4ba1-bdb1-cf7929955268} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6a7699f0-ee43-43e7-aa30-a6738f9bd470} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6a7699f0-ee43-43e7-aa30-a6738f9bd470}\ = "IRdpDesktopSession" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\ProductIcon = "C:\\Windows\\Installer\\{EF2787B1-0F5C-449C-86FF-6F4D28DE3C46}\\chromoting.ico" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ChromeRemoteDesktopUrlForwarder\Application\ApplicationName = "@C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\125.0.6422.31\\remoting_core.dll,-119" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ChromeRemoteDesktopUrlForwarder\DefaultIcon\ = "C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\125.0.6422.31\\remoting_core.dll,-112" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{e051a481-6345-4ba1-bdb1-cf7929955268}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{e051a481-6345-4ba1-bdb1-cf7929955268}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ChromeRemoteDesktopUrlForwarder\Application C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3a22c946-f9f5-51e0-b7b1-ef8ea58a1f65}\TypeLib\ = "{b6396c45-b0cc-456b-9f49-f12964ee6df4}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}\1.0\0 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ChromeRemoteDesktopUrlForwarder\DefaultIcon C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{52e6fd1a-f16e-49c0-aacb-5436a915448b}\ = "ChromotingRdpDesktopSession" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6a7699f0-ee43-43e7-aa30-a6738f9bd470}\ = "IRdpDesktopSession PSFactory" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{655bd819-c08c-4b04-80c2-f160739ff6ef}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{b59b96da-83cb-40ee-9b91-c377400fc3e3}\ProxyStubClsid32\ = "{b59b96da-83cb-40ee-9b91-c377400fc3e3}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1B7872FEC5F0C94468FFF6D482EDC364\chromoting_host C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\767F12B2751E6AF469C35538C441336A\1B7872FEC5F0C94468FFF6D482EDC364 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{52e6fd1a-f16e-49c0-aacb-5436a915448b}\AccessPermission = 010014807800000088000000140000003000000002001c000100000011001400040000000101000000000010002000000200480003000000000014000b000000010100000000000512000000000018000b00000001020000000000052000000020020000000014000b0000000101000000000005130000000102000000000005200000002002000001020000000000052000000020020000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{52e6fd1a-f16e-49c0-aacb-5436a915448b}\RunAs = "NT AUTHORITY\\LocalService" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3a22c946-f9f5-51e0-b7b1-ef8ea58a1f65}\LocalServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{e051a481-6345-4ba1-bdb1-cf7929955268}\TypeLib\ = "{b6396c45-b0cc-456b-9f49-f12964ee6df4}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}\1.0 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1B7872FEC5F0C94468FFF6D482EDC364 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\SourceList\PackageName = "chromeremotedesktophost.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}\1.0\0\win32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Typelib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}\1.0\0 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ChromeRemoteDesktopUrlForwarder\shell\open\command\ = "\"C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\125.0.6422.31\\remote_open_url.exe\" %1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3a22c946-f9f5-51e0-b7b1-ef8ea58a1f65}\TypeLib C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{655bd819-c08c-4b04-80c2-f160739ff6ef}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{b59b96da-83cb-40ee-9b91-c377400fc3e3}\ = "IRdpDesktopSessionEventHandler" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\125.0.6422.31\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ChromeRemoteDesktopUrlForwarder\Application\ApplicationIcon = "C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\125.0.6422.31\\remoting_core.dll,-112" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ChromeRemoteDesktopUrlForwarder\shell C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3a22c946-f9f5-51e0-b7b1-ef8ea58a1f65}\AppID = "{52e6fd1a-f16e-49c0-aacb-5436a915448b}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b59b96da-83cb-40ee-9b91-c377400fc3e3} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ChromeRemoteDesktopUrlForwarder\Application\ApplicationDescription = "@C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\125.0.6422.31\\remoting_core.dll,-120" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b59b96da-83cb-40ee-9b91-c377400fc3e3}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{b59b96da-83cb-40ee-9b91-c377400fc3e3}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{b59b96da-83cb-40ee-9b91-c377400fc3e3}\TypeLib\ = "{b6396c45-b0cc-456b-9f49-f12964ee6df4}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}\1.0\ = "Chromoting 1.0 Type Library" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Typelib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}\1.0\HELPDIR C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppId\{52e6fd1a-f16e-49c0-aacb-5436a915448b} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3a22c946-f9f5-51e0-b7b1-ef8ea58a1f65}\LocalServer32\ = "C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\125.0.6422.31\\remoting_host.exe --type=rdp_desktop_session" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b59b96da-83cb-40ee-9b91-c377400fc3e3}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\125.0.6422.31\\remoting_core.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{b59b96da-83cb-40ee-9b91-c377400fc3e3} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Typelib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}\1.0 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\125.0.6422.31\\remoting_core.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\ProductName = "Chrome Remote Desktop Host" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\SourceList\Net C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4656 wrote to memory of 3212 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4656 wrote to memory of 3212 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4656 wrote to memory of 3212 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4656 wrote to memory of 1016 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4656 wrote to memory of 1016 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4656 wrote to memory of 3820 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4656 wrote to memory of 3820 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4656 wrote to memory of 3820 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4656 wrote to memory of 4952 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4656 wrote to memory of 4952 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4656 wrote to memory of 4952 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4952 wrote to memory of 436 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4952 wrote to memory of 436 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4952 wrote to memory of 436 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\chromeremotedesktophost.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding F8430C5913D4AD324A7D845E64AD28EB C

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding B0FD9E0EA03874423E227DB4541DB626

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 2C2BDB3796664C5F408B0425A5CF356F E Global\MSI0000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass New-Item -ItemType SymbolicLink -Path 'C:\Program Files (x86)\Google\Chrome Remote Desktop\CurrentVersion' -Target 'C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\' -Force

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\MSI5890.tmp

MD5 a0962dd193b82c1946dc67e140ddf895
SHA1 7f36c38d80b7c32e750e22907ac7e1f0df76e966
SHA256 b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9
SHA512 118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_466BAFE78D4077069B6C3828315C7C8D

MD5 0740dcc3a03181dc5f5c3cfcb2f8baad
SHA1 e2021a6e26fcfa8a8d0ec07694c259098e5c7ce7
SHA256 bebbdefdcbb7885cabc8bac62205fb10767793e009166d2729c809ba84ee6f1c
SHA512 b558dc1acb4bf4e87b6be46b072dee1914d0098130ffc0b6e340f8a108b3d108a10021f3364b013dcc78e696a4fdacc0a777ac92662599ba893aa7fc314a29aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_466BAFE78D4077069B6C3828315C7C8D

MD5 e3a56d6fe80f9085bd0ccdb7c8d695a0
SHA1 4a6048d257bfd9e9462291e6a643aa6f344a3094
SHA256 035a4d3f7c63b572e7c0cd44116b31b516e7309fac48a3019bb8c2ac8584963e
SHA512 a4498f848de10729c41a69617fc5db87a1efc8637cd0d60d0e84ce8178381b7f11ef3eee5d690877d80ce298b30a4617d78ed09aa4ea2f366e70b9c27cd44d15

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

MD5 8f78bb16ed43771498053a206449f731
SHA1 7c7c6e608ffccf8b3a140ac3735345308b2144eb
SHA256 ccc2849d1d1a47ee1f735a31f09610aeba5323b46d54485157d0bdc6a401b319
SHA512 31bee34a67ba3bf911ce06913870e2cbee0408a3629b988d953d436bc6698baf468ce0d7a357f97876e9cbf06d0f5595b75fd510ebd65e5e6ac8350962b7a543

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

MD5 b1b582ce68f4e965bdce75a026dd4d3e
SHA1 3910e743253b10fdbf95b853dc71b6f7f78ec6ea
SHA256 ee9e73867e1217852c11803dc28f8263c5823a641b7e2255ca08b14c1172e2e8
SHA512 94e91f7a455ea4af0f6851714bdcc8a7f1a77de2bb0ceee6f51c5a9a339d7a5f76bc4ae2923bcef7e17835504d3dd5c455a7a3dd4d89a71f2002896cee0860fc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

MD5 05f051024e58ace00a3e6b664d1f4d87
SHA1 058ac9df7b569bab3c67d397a076e89403b7e7ca
SHA256 91753c68e866de309b6e5ad231bc3e7b03d461a07b361d4656df04275a9fa1c7
SHA512 7a96ebf0ce2e4e293715199df782cb292219c21a573f27c0e14713bb7cdc07d0853845e7f9395338c472e9d291beaec1130fcabf118d6c80861501fd806c763e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

MD5 bec49fee0d6e8b202b5d158dfbb40fcb
SHA1 02929dea622594fba7a277895dd7aabc8d4fde99
SHA256 8133598e9ab395a5601d55b39dcdec51b49f3eddb10468a6e2af22e6eb23d455
SHA512 42ac885d7229528691b0587dba15b6e62eed1aa37babc1d6d0e1564cdb20c616a572a5fb235453db5a468c663533d632b63717004c0a0aa532824de9537c5b00

C:\Windows\Installer\MSI7475.tmp

MD5 85fcf7b457b7194bbeb46db22fae05c3
SHA1 5eca64d0d4ab4599852a475a7dd25beb88ae1c27
SHA256 e24376a9346c2d486ce7426ca3ddc73cd020bb7216f8e5a0b9b2cb23caddcf31
SHA512 12d46c2d63d221adb288a89b2fe0b423d4ae7579c24c36d651a6ce9488bfdc669a1e8378309c28f7019c7cfc43fa87e99b4829cace97715c0b94ac9e2a758339

memory/436-63-0x0000000004850000-0x0000000004886000-memory.dmp

memory/436-64-0x0000000004FE0000-0x000000000560A000-memory.dmp

memory/436-65-0x0000000004F20000-0x0000000004F42000-memory.dmp

memory/436-66-0x0000000005700000-0x0000000005766000-memory.dmp

memory/436-67-0x0000000005770000-0x00000000057D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ktr0q2bg.o1z.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/436-76-0x00000000057E0000-0x0000000005B37000-memory.dmp

memory/436-77-0x0000000005CD0000-0x0000000005CEE000-memory.dmp

memory/436-78-0x0000000005D00000-0x0000000005D4C000-memory.dmp

memory/436-79-0x0000000006CA0000-0x0000000006D36000-memory.dmp

memory/436-80-0x00000000061F0000-0x000000000620A000-memory.dmp

memory/436-81-0x0000000006240000-0x0000000006262000-memory.dmp

memory/436-82-0x00000000072F0000-0x0000000007896000-memory.dmp

C:\Config.Msi\e577281.rbs

MD5 26bb40d58acbe76518984fe2b28e4585
SHA1 b9a829518182afff35b741f753ee77b0857a5feb
SHA256 a4c8a2c567ae11c2b3380c3bd15773919c67dc0e2e242ffb5c6793a28e3342bf
SHA512 374897f6969d8913a9ca5f322871bb3cef8308a33ce486aae4a6b143ac7eed932122973deb53cda5604be476565029343ff5a147543e3b4cc0f0fdd4f903e8af

C:\Windows\Installer\e577280.msi

MD5 5f259c755b3dcbbbbc27f9513cddac61
SHA1 0e672bad7b67cc1f234b265f3af21976935c4903
SHA256 9cdd681fc86c1e816e652b0b5590d2e986b08bc26204e8048918a59c291051ce
SHA512 4c7f66962cecba4e753f3c996cc45bd102c6b7c6ab97bf85197091cfdb05ca82dd400f0888ead82927c61e3f45ea33e919a3a51da63cb5af1141a980f779fcb3

\??\Volume{bdd0c00a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1cc1d5a4-0d22-4c54-bc43-ed73c19909b9}_OnDiskSnapshotProp

MD5 edfcf18542b2b6d8f6d487e7b203836f
SHA1 1d5426f7bbe6b0fe86051bfd28c8144c7000b9fb
SHA256 ee573b758364969c10f6ac71d7268cf934a4bc552c7f1f4644a92de28c3acb64
SHA512 eff999fe4cbd8fb82fdf60385721219c198fc55ccd4cb3c1b1d72c912ca27be22769e785b1404553c59127043b126efec722478e89b682ec31e0fe2cf66c3915

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 92a12fb8c7683077845149df77df62c3
SHA1 14d4d5a5934f5c12a28dc3e72cc020a7d53d74da
SHA256 8bb87640823680f8f1aa4b782b910647d270f42919684f1a7beb52f306298de4
SHA512 93279055d3ee456d896b91401013a23d236dfaacdf6d784bbb75c760d6db1f145390d8dc45a687210d1b33a428761054a8dc6d828b5be6a33c2156eb86e0ef51