8a36127d9fdced5a151bb5def00f508f8b132c88af5020a9bf654f468cf12cd8

Analysis

max time kernel
136s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

indexpowershell.ps1
Size

914B
MD5

fec80df570e3c472d9d3445376b29bbe
SHA1

74209f0508d62c7fbeec2313269d1eadc3fa0601
SHA256

8a36127d9fdced5a151bb5def00f508f8b132c88af5020a9bf654f468cf12cd8
SHA512

453d07746ee63c33dc10efbc45beeebd046f41df965988da2f88636623c3476792a7a1f65443e82690d6be984fdfc8af3d8c854191a32d8894f158a76cbb1806

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	3496	powershell.exe
64	1292	msiexec.exe

Loads dropped DLL 7 IoCs

pid	Process
1036	MsiExec.exe
1036	MsiExec.exe
1036	MsiExec.exe
1036	MsiExec.exe
4276	MsiExec.exe
4276	MsiExec.exe
4276	MsiExec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\com.google.chrome.remote_desktop-firefox.json	msiexec.exe
File created	C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\com.google.chrome.remote_assistance.json	msiexec.exe
File created	C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\com.google.chrome.remote_webauthn.json	msiexec.exe
File created	C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\remote_assistance_host.exe	msiexec.exe
File created	C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\com.google.chrome.remote_assistance-firefox.json	msiexec.exe
File created	C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\icudtl.dat	msiexec.exe
File created	C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\remote_open_url.exe	msiexec.exe
File created	C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\remote_webauthn.exe	msiexec.exe
File created	C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\remoting_native_messaging_host.exe	msiexec.exe
File created	C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\CREDITS.txt	msiexec.exe
File created	C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\remote_assistance_host_uiaccess.exe	msiexec.exe
File created	C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\remote_security_key.exe	msiexec.exe
File created	C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\remoting_core.dll	msiexec.exe
File created	C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\remoting_desktop.exe	msiexec.exe
File created	C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\remoting_host.exe	msiexec.exe
File created	C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\remoting_start_host.exe	msiexec.exe
File created	C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\com.google.chrome.remote_desktop.json	msiexec.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSID7FA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID9B2.tmp	msiexec.exe
File created	C:\Windows\Installer\wix{EF2787B1-0F5C-449C-86FF-6F4D28DE3C46}.SchedServiceConfig.rmi	MsiExec.exe
File created	C:\Windows\Installer\{EF2787B1-0F5C-449C-86FF-6F4D28DE3C46}\chromoting.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\e59d1dd.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID6BF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID7DA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID82A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{EF2787B1-0F5C-449C-86FF-6F4D28DE3C46}\chromoting.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE27E.tmp	msiexec.exe
File created	C:\Windows\Installer\e59d1e1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE192.tmp	msiexec.exe
File created	C:\Windows\Installer\e59d1dd.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EF2787B1-0F5C-449C-86FF-6F4D28DE3C46}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID7D9.tmp	msiexec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3496	powershell.exe
1212	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies data under HKEY_USERS 44 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{655bd819-c08c-4b04-80c2-f160739ff6ef}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{b59b96da-83cb-40ee-9b91-c377400fc3e3}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1B7872FEC5F0C94468FFF6D482EDC364	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1B7872FEC5F0C94468FFF6D482EDC364\chromoting_host	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\ProductIcon = "C:\\Windows\\Installer\\{EF2787B1-0F5C-449C-86FF-6F4D28DE3C46}\\chromoting.ico"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3a22c946-f9f5-51e0-b7b1-ef8ea58a1f65}\LocalServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3a22c946-f9f5-51e0-b7b1-ef8ea58a1f65}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3a22c946-f9f5-51e0-b7b1-ef8ea58a1f65}\TypeLib\ = "{b6396c45-b0cc-456b-9f49-f12964ee6df4}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{655bd819-c08c-4b04-80c2-f160739ff6ef}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6a7699f0-ee43-43e7-aa30-a6738f9bd470}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{b59b96da-83cb-40ee-9b91-c377400fc3e3}\ProxyStubClsid32\ = "{b59b96da-83cb-40ee-9b91-c377400fc3e3}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}\1.0\ = "Chromoting 1.0 Type Library"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromeRemoteDesktopUrlForwarder\Application\ApplicationName = "@C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\125.0.6422.31\\remoting_core.dll,-119"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{52e6fd1a-f16e-49c0-aacb-5436a915448b}\LaunchPermission = 010014807800000088000000140000003000000002001c000100000011001400040000000101000000000010002000000200480003000000000014000b000000010100000000000512000000000018000b00000001020000000000052000000020020000000014000b0000000101000000000005130000000102000000000005200000002002000001020000000000052000000020020000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3a22c946-f9f5-51e0-b7b1-ef8ea58a1f65}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromeRemoteDesktopUrlForwarder\Application	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3a22c946-f9f5-51e0-b7b1-ef8ea58a1f65}\ = "RdpDesktopSession Class"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6a7699f0-ee43-43e7-aa30-a6738f9bd470}\ = "IRdpDesktopSession"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Typelib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}\1.0\HELPDIR	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\SourceList\PackageName = "chromeremotedesktophost.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromeRemoteDesktopUrlForwarder\shell\open\command\ = "\"C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\125.0.6422.31\\remote_open_url.exe\" %1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b59b96da-83cb-40ee-9b91-c377400fc3e3}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b59b96da-83cb-40ee-9b91-c377400fc3e3}\ = "IRdpDesktopSessionEventHandler PSFactory"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromeRemoteDesktopUrlForwarder	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromeRemoteDesktopUrlForwarder\shell\open	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{b59b96da-83cb-40ee-9b91-c377400fc3e3}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{b59b96da-83cb-40ee-9b91-c377400fc3e3}\TypeLib\ = "{b6396c45-b0cc-456b-9f49-f12964ee6df4}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}\1.0\0\win32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Typelib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}\1.0\FLAGS	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromeRemoteDesktopUrlForwarder\Application\ApplicationCompany = "Google LLC"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{52e6fd1a-f16e-49c0-aacb-5436a915448b}\RunAs = "NT AUTHORITY\\LocalService"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\767F12B2751E6AF469C35538C441336A\1B7872FEC5F0C94468FFF6D482EDC364	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromeRemoteDesktopUrlForwarder\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6a7699f0-ee43-43e7-aa30-a6738f9bd470}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\125.0.6422.31\\remoting_core.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{655bd819-c08c-4b04-80c2-f160739ff6ef}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{e051a481-6345-4ba1-bdb1-cf7929955268}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{e051a481-6345-4ba1-bdb1-cf7929955268}\TypeLib\ = "{b6396c45-b0cc-456b-9f49-f12964ee6df4}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6a7699f0-ee43-43e7-aa30-a6738f9bd470}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\PackageCode = "4D8277E60212F634B9581C5B94A5D2F5"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromeRemoteDesktopUrlForwarder\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3a22c946-f9f5-51e0-b7b1-ef8ea58a1f65}\AppID = "{52e6fd1a-f16e-49c0-aacb-5436a915448b}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{655bd819-c08c-4b04-80c2-f160739ff6ef}\ProxyStubClsid32	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}\1.0	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Typelib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromeRemoteDesktopUrlForwarder\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{52e6fd1a-f16e-49c0-aacb-5436a915448b}\ = "ChromotingRdpDesktopSession"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{e051a481-6345-4ba1-bdb1-cf7929955268}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Typelib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}\1.0\FLAGS\ = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b59b96da-83cb-40ee-9b91-c377400fc3e3}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{655bd819-c08c-4b04-80c2-f160739ff6ef}\TypeLib\ = "{b6396c45-b0cc-456b-9f49-f12964ee6df4}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{e051a481-6345-4ba1-bdb1-cf7929955268}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3496	powershell.exe
3496	powershell.exe
1292	msiexec.exe
1292	msiexec.exe
1212	powershell.exe
1212	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3496	powershell.exe
Token: SeShutdownPrivilege	2080	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2080	msiexec.exe
Token: SeSecurityPrivilege	1292	msiexec.exe
Token: SeCreateTokenPrivilege	2080	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2080	msiexec.exe
Token: SeLockMemoryPrivilege	2080	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2080	msiexec.exe
Token: SeMachineAccountPrivilege	2080	msiexec.exe
Token: SeTcbPrivilege	2080	msiexec.exe
Token: SeSecurityPrivilege	2080	msiexec.exe
Token: SeTakeOwnershipPrivilege	2080	msiexec.exe
Token: SeLoadDriverPrivilege	2080	msiexec.exe
Token: SeSystemProfilePrivilege	2080	msiexec.exe
Token: SeSystemtimePrivilege	2080	msiexec.exe
Token: SeProfSingleProcessPrivilege	2080	msiexec.exe
Token: SeIncBasePriorityPrivilege	2080	msiexec.exe
Token: SeCreatePagefilePrivilege	2080	msiexec.exe
Token: SeCreatePermanentPrivilege	2080	msiexec.exe
Token: SeBackupPrivilege	2080	msiexec.exe
Token: SeRestorePrivilege	2080	msiexec.exe
Token: SeShutdownPrivilege	2080	msiexec.exe
Token: SeDebugPrivilege	2080	msiexec.exe
Token: SeAuditPrivilege	2080	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2080	msiexec.exe
Token: SeChangeNotifyPrivilege	2080	msiexec.exe
Token: SeRemoteShutdownPrivilege	2080	msiexec.exe
Token: SeUndockPrivilege	2080	msiexec.exe
Token: SeSyncAgentPrivilege	2080	msiexec.exe
Token: SeEnableDelegationPrivilege	2080	msiexec.exe
Token: SeManageVolumePrivilege	2080	msiexec.exe
Token: SeImpersonatePrivilege	2080	msiexec.exe
Token: SeCreateGlobalPrivilege	2080	msiexec.exe
Token: SeRestorePrivilege	1292	msiexec.exe
Token: SeTakeOwnershipPrivilege	1292	msiexec.exe
Token: SeRestorePrivilege	1292	msiexec.exe
Token: SeTakeOwnershipPrivilege	1292	msiexec.exe
Token: SeRestorePrivilege	1292	msiexec.exe
Token: SeTakeOwnershipPrivilege	1292	msiexec.exe
Token: SeRestorePrivilege	1292	msiexec.exe
Token: SeTakeOwnershipPrivilege	1292	msiexec.exe
Token: SeRestorePrivilege	1292	msiexec.exe
Token: SeTakeOwnershipPrivilege	1292	msiexec.exe
Token: SeRestorePrivilege	1292	msiexec.exe
Token: SeTakeOwnershipPrivilege	1292	msiexec.exe
Token: SeRestorePrivilege	1292	msiexec.exe
Token: SeTakeOwnershipPrivilege	1292	msiexec.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: 35	1212	powershell.exe
Token: SeRestorePrivilege	1292	msiexec.exe
Token: SeTakeOwnershipPrivilege	1292	msiexec.exe
Token: SeRestorePrivilege	1292	msiexec.exe
Token: SeTakeOwnershipPrivilege	1292	msiexec.exe
Token: SeShutdownPrivilege	4276	MsiExec.exe
Token: SeRestorePrivilege	1292	msiexec.exe
Token: SeTakeOwnershipPrivilege	1292	msiexec.exe
Token: SeRestorePrivilege	1292	msiexec.exe
Token: SeTakeOwnershipPrivilege	1292	msiexec.exe
Token: SeRestorePrivilege	1292	msiexec.exe
Token: SeTakeOwnershipPrivilege	1292	msiexec.exe
Token: SeRestorePrivilege	1292	msiexec.exe
Token: SeTakeOwnershipPrivilege	1292	msiexec.exe
Token: SeRestorePrivilege	1292	msiexec.exe
Token: SeTakeOwnershipPrivilege	1292	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 2080	3496	powershell.exe	109
PID 3496 wrote to memory of 2080	3496	powershell.exe	109
PID 1292 wrote to memory of 1036	1292	msiexec.exe	112
PID 1292 wrote to memory of 1036	1292	msiexec.exe	112
PID 1292 wrote to memory of 1036	1292	msiexec.exe	112
PID 1292 wrote to memory of 4276	1292	msiexec.exe	113
PID 1292 wrote to memory of 4276	1292	msiexec.exe	113
PID 1292 wrote to memory of 4276	1292	msiexec.exe	113
PID 4276 wrote to memory of 1212	4276	MsiExec.exe	114
PID 4276 wrote to memory of 1212	4276	MsiExec.exe	114
PID 4276 wrote to memory of 1212	4276	MsiExec.exe	114

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\indexpowershell.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Windows\system32\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\chromeremotedesktophost.msi" /quiet /norestart
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2080

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B4AD8C0875C87E2437B7CFCA65C00598
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1036
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6E3D447F9FFC059B0CD7FE1D606F1CDF E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass New-Item -ItemType SymbolicLink -Path 'C:\Program Files (x86)\Google\Chrome Remote Desktop\CurrentVersion' -Target 'C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e59d1e0.rbs

Filesize
283KB

MD5
11e0c8cc03d483d66b2d3a4c69a774d5

SHA1
e39e45c1c5fc8f9ec998f60fb2f7389160ab2e86

SHA256
1ce53a6dd8e7e251e55a9b3cf5918c12f2be1be935283b3295ab45bad02d6669

SHA512
b60161069a71b14b522faa69e27a436b4d230c9426fffd6f4d8bcbbe4142f17312eb37e75231ae84399f62c4ad2f9fc5c2c6ab9123231651ce349f48f4b21d07

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2rs0rrtn.qay.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\chromeremotedesktophost.msi

Filesize
20.5MB

MD5
5f259c755b3dcbbbbc27f9513cddac61

SHA1
0e672bad7b67cc1f234b265f3af21976935c4903

SHA256
9cdd681fc86c1e816e652b0b5590d2e986b08bc26204e8048918a59c291051ce

SHA512
4c7f66962cecba4e753f3c996cc45bd102c6b7c6ab97bf85197091cfdb05ca82dd400f0888ead82927c61e3f45ea33e919a3a51da63cb5af1141a980f779fcb3

Download Submit
C:\Windows\Installer\MSID6BF.tmp

Filesize
168KB

MD5
a0962dd193b82c1946dc67e140ddf895

SHA1
7f36c38d80b7c32e750e22907ac7e1f0df76e966

SHA256
b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9

SHA512
118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751

Download Submit
C:\Windows\Installer\MSID7DA.tmp

Filesize
88KB

MD5
85fcf7b457b7194bbeb46db22fae05c3

SHA1
5eca64d0d4ab4599852a475a7dd25beb88ae1c27

SHA256
e24376a9346c2d486ce7426ca3ddc73cd020bb7216f8e5a0b9b2cb23caddcf31

SHA512
12d46c2d63d221adb288a89b2fe0b423d4ae7579c24c36d651a6ce9488bfdc669a1e8378309c28f7019c7cfc43fa87e99b4829cace97715c0b94ac9e2a758339

Download Submit
memory/1212-84-0x00000000062C0000-0x000000000630C000-memory.dmp

Filesize
304KB

Download
memory/1212-83-0x00000000062A0000-0x00000000062BE000-memory.dmp

Filesize
120KB

Download
memory/1212-88-0x0000000007A60000-0x0000000008004000-memory.dmp

Filesize
5.6MB

Download
memory/1212-87-0x00000000067D0000-0x00000000067F2000-memory.dmp

Filesize
136KB

Download
memory/1212-86-0x0000000006780000-0x000000000679A000-memory.dmp

Filesize
104KB

Download
memory/1212-85-0x0000000007410000-0x00000000074A6000-memory.dmp

Filesize
600KB

Download
memory/1212-68-0x0000000002CB0000-0x0000000002CE6000-memory.dmp

Filesize
216KB

Download
memory/1212-69-0x00000000055D0000-0x0000000005BF8000-memory.dmp

Filesize
6.2MB

Download
memory/1212-70-0x00000000052C0000-0x00000000052E2000-memory.dmp

Filesize
136KB

Download
memory/1212-71-0x0000000005480000-0x00000000054E6000-memory.dmp

Filesize
408KB

Download
memory/1212-72-0x00000000054F0000-0x0000000005556000-memory.dmp

Filesize
408KB

Download
memory/1212-82-0x0000000005C50000-0x0000000005FA4000-memory.dmp

Filesize
3.3MB

Download
memory/3496-11-0x00007FFFCDA10000-0x00007FFFCE4D1000-memory.dmp

Filesize
10.8MB

Download
memory/3496-0-0x00007FFFCDA13000-0x00007FFFCDA15000-memory.dmp

Filesize
8KB

Download
memory/3496-14-0x00007FFFCDA10000-0x00007FFFCE4D1000-memory.dmp

Filesize
10.8MB

Download
memory/3496-12-0x00007FFFCDA10000-0x00007FFFCE4D1000-memory.dmp

Filesize
10.8MB

Download
memory/3496-13-0x00007FFFCDA13000-0x00007FFFCDA15000-memory.dmp

Filesize
8KB

Download
memory/3496-15-0x00007FFFCDA10000-0x00007FFFCE4D1000-memory.dmp

Filesize
10.8MB

Download
memory/3496-2-0x000001C2A1860000-0x000001C2A1882000-memory.dmp

Filesize
136KB

Download