Running Chrome VPN Extensions via the Registry install 2 vpn extension
title: Running Chrome VPN Extensions via the Registry 2 VPN Extension
id: b64a026b-8deb-4c1d-92fd-98893209dff1
status: test
description: Running Chrome VPN Extensions via the Registry install 2 vpn extension
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1133/T1133.md#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension
author: frack113
date: 2021-12-28
modified: 2023-08-17
tags:
- attack.initial-access
- attack.persistence
- attack.t1133
logsource:
category: registry_set
product: windows
detection:
chrome_ext:
TargetObject|contains: 'Software\Wow6432Node\Google\Chrome\Extensions'
TargetObject|endswith: 'update_url'
chrome_vpn:
TargetObject|contains:
- fdcgdnkidjaadafnichfpabhfomcebme # ZenMate VPN
- fcfhplploccackoneaefokcmbjfbkenj # 1clickVPN
- bihmplhobchoageeokmgbdihknkjbknd # Touch VPN
- gkojfkhlekighikafcpjkiklfbnlmeio # Hola Free VPN
- jajilbjjinjmgcibalaakngmkilboobh # Astar VPN
- gjknjjomckknofjidppipffbpoekiipm # VPN Free
- nabbmpekekjknlbkgpodfndbodhijjem # Earth VPN
- kpiecbcckbofpmkkkdibbllpinceiihk # DotVPN
- nlbejmccbhkncgokjcmghpfloaajcffj # Hotspot Shield Free VPN
- omghfjlpggmjjaagoclmmobgdodcjboh # Browsec VPN
- bibjcjfmgapbfoljiojpipaooddpkpai # VPN-free.pro
- mpcaainmfjjigeicjnlkdfajbioopjko # VPN Unlimited Free
- jljopmgdobloagejpohpldgkiellmfnc # PP VPN
- lochiccbgeohimldjooaakjllnafhaid # IP Unblock
- nhnfcgpcbfclhfafjlooihdfghaeinfc # Surf VPN
- ookhnhpkphagefgdiemllfajmkdkcaim # iNinja VPN
- namfblliamklmeodpcelkokjbffgmeoo # Daily VPN
- nbcojefnccbanplpoffopkoepjmhgdgh # Hoxx VPN Proxy
- majdfhpaihoncoakbjgbdhglocklcgno # Free VPN
- lnfdmdhmfbimhhpaeocncdlhiodoblbd # VPN PROXY MASTER
- eppiocemhmnlbhjplcgkofciiegomcon # Urban Free VPN
- cocfojppfigjeefejbpfmedgjbpchcng # SaferVPN Proxy
- foiopecknacmiihiocgdjgbjokkpkohc # VPN Professional
- hhdobjgopfphlmjbmnpglhfcgppchgje # AdGuard VPN
- jgbaghohigdbgbolncodkdlpenhcmcge # Free VPN
- inligpkjkhbpifecbdjhmdpcfhnlelja # Free One Touch VPN
- higioemojdadgdbhbbbkfbebbdlfjbip # Unlimited VPN & Proxy by ibVPN
- hipncndjamdcmphkgngojegjblibadbe # RusVPN
- iolonopooapdagdemdoaihahlfkncfgg # Azino VPN
- nhfjkakglbnnpkpldhjmpmmfefifedcj # Pron VPN
- jpgljfpmoofbmlieejglhonfofmahini # Free Residential VPN
- fgddmllnllkalaagkghckoinaemmogpe # ExpressVPN
- ejkaocphofnobjdedneohbbiilggdlbi # Hotspot Shield Elite VPN Proxy
- keodbianoliadkoelloecbhllnpiocoi # Hide My IP VPN
- hoapmlpnmpaehilehggglehfdlnoegck # Tunnello VPN
- poeojclicodamonabcabmapamjkkmnnk # HMA VPN Proxy Unblocker
- dfkdflfgjdajbhocmfjolpjbebdkcjog # Free Avira Phantom VPN
- kcdahmgmaagjhocpipbodaokikjkampi # Hola VPN
- klnkiajpmpkkkgpgbogmcgfjhdoljacg # Free VPN for Chrome
- lneaocagcijjdpkcabeanfpdbmapcjjg # Hub VPN
- pgfpignfckbloagkfnamnolkeaecfgfh # Free Proxy VPN
- jplnlifepflhkbkgonidnobkakhmpnmh # Private Internet Access
- jliodmnojccaloajphkingdnpljdhdok # Turbo VPN for PC
- hnmpcagpplmpfojmgmnngilcnanddlhb # Windscribe
- ffbkglfijbcbgblgflchnbphjdllaogb # CyberGhost VPN
- kcndmbbelllkmioekdagahekgimemejo # VPN.AC
- jdgilggpfmjpbodmhndmhojklgfdlhob # Browser VPN
- bihhflimonbpcfagfadcnbbdngpopnjb # DEEPRISM VPN
- ppajinakbfocjfnijggfndbdmjggcmde # My Browser Vpn
- oofgbpoabipfcfjapgnbbjjaenockbdp # SetupVPN
- bhnhkdgoefpmekcgnccpnhjfdgicfebm # Wachee VPN
- knmmpciebaoojcpjjoeonlcjacjopcpf # Thunder Proxy
- dhadilbmmjiooceioladdphemaliiobo # Free Proxy VPN
- jedieiamjmoflcknjdjhpieklepfglin # FastestVPN Proxy
- mhngpdlhojliikfknhfaglpnddniijfh # WorkingVPN
- omdakjcmkglenbhjadbccaookpfjihpa # TunnelBear VPN
- npgimkapccfidfkfoklhpkgmhgfejhbj # BelkaVPN
- akeehkgglkmpapdnanoochpfmeghfdln # VPN Master
- gbmdmipapolaohpinhblmcnpmmlgfgje # Unblock Websites
- aigmfoeogfnljhnofglledbhhfegannp # Lethean Proxy VPN
- cgojmfochfikphincbhokimmmjenhhgk # Whoer VPN
- ficajfeojakddincjafebjmfiefcmanc # Best VPN USA
- ifnaibldjfdmaipaddffmgcmekjhiloa # FREE VPN DEWELOPMENT
- jbnmpdkcfkochpanomnkhnafobppmccn # apkfold free vpn
- apcfdffemoinopelidncddjbhkiblecc # Soul VPN
- mjolnodfokkkaichkcjipfgblbfgojpa # DotVPN
- oifjbnnafapeiknapihcmpeodaeblbkn # rderzh VPN Proxy
- plpmggfglncceinmilojdkiijhmajkjh # Red Panda VPN
- mjnbclmflcpookeapghfhapeffmpodij # Ultrareach VPN
- bblcccknbdbplgmdjnnikffefhdlobhp # FastStunnel VPN
- aojlhgbkmkahabcmcpifbolnoichfeep # VirtualShield VPN
- lcmammnjlbmlbcaniggmlejfjpjagiia # Adblock Office VPN Proxy Server
- knajdeaocbpmfghhmijicidfcmdgbdpm # Guru VPN & Proxy
- bdlcnpceagnkjnjlbbbcepohejbheilk # Malus VPN
- edknjdjielmpdlnllkdmaghlbpnmjmgb # Muscle VPN
- eidnihaadmmancegllknfbliaijfmkgo # Push VPN
- ckiahbcmlmkpfiijecbpflfahoimklke # Gom VPN
- macdlemfnignjhclfcfichcdhiomgjjb # Free Fast VPN
- chioafkonnhbpajpengbalkececleldf # BullVPN
- amnoibeflfphhplmckdbiajkjaoomgnj # HideAll VPN
- llbhddikeonkpbhpncnhialfbpnilcnc # ProxyFlow
- pcienlhnoficegnepejpfiklggkioccm # Cloud VPN
- iocnglnmfkgfedpcemdflhkchokkfeii # sVPN
- igahhbkcppaollcjeaaoapkijbnphfhb # Social VPN
- njpmifchgidinihmijhcfpbdmglecdlb # Trellonet Trellonet
- ggackgngljinccllcmbgnpgpllcjepgc # WindmillVPN
- kchocjcihdgkoplngjemhpplmmloanja # IPBurger Proxy & VPN
- bnijmipndnicefcdbhgcjoognndbgkep # Veee
- lklekjodgannjcccdlbicoamibgbdnmi # Anonymous Proxy Vpn Browser
- dbdbnchagbkhknegmhgikkleoogjcfge # Hideman VPN
- egblhcjfjmbjajhjhpmnlekffgaemgfh # Fornex VPN
- ehbhfpfdkmhcpaehaooegfdflljcnfec # WeVPN
- bkkgdjpomdnfemhhkalfkogckjdkcjkg # VPNMatic
- almalgbpmcfpdaopimbdchdliminoign # Urban Shield
- akkbkhnikoeojlhiiomohpdnkhbkhieh # Prime VPN
- gbfgfbopcfokdpkdigfmoeaajfmpkbnh # westwind
- bniikohfmajhdcffljgfeiklcbgffppl # Upnet
- lejgfmmlngaigdmmikblappdafcmkndb # uVPN
- ffhhkmlgedgcliajaedapkdfigdobcif # Nucleus VPN
- gcknhkkoolaabfmlnjonogaaifnjlfnp # FoxyProxy Standard
- pooljnboifbodgifngpppfklhifechoe # GeoProxy
- fjoaledfpmneenckfbpdfhkmimnjocfa # NordVPN
- aakchaleigkohafkfjfjbblobjifikek # ProxFlow
- dpplabbmogkhghncfbfdeeokoefdjegm # Proxy SwitchySharp
- padekgcemlokbadohgkifijomclgjgif # Proxy SwitchyOmega
- bfidboloedlamgdmenmlbipfnccokknp # PureVPN
condition: all of chrome_*
falsepositives:
- Unknown
level: high
imRegistry
| where (RegistryKey contains "Software\\Wow6432Node\\Google\\Chrome\\Extensions" and RegistryKey endswith "update_url") and (RegistryKey contains "fdcgdnkidjaadafnichfpabhfomcebme" or RegistryKey contains "fcfhplploccackoneaefokcmbjfbkenj" or RegistryKey contains "bihmplhobchoageeokmgbdihknkjbknd" or RegistryKey contains "gkojfkhlekighikafcpjkiklfbnlmeio" or RegistryKey contains "jajilbjjinjmgcibalaakngmkilboobh" or RegistryKey contains "gjknjjomckknofjidppipffbpoekiipm" or RegistryKey contains "nabbmpekekjknlbkgpodfndbodhijjem" or RegistryKey contains "kpiecbcckbofpmkkkdibbllpinceiihk" or RegistryKey contains "nlbejmccbhkncgokjcmghpfloaajcffj" or RegistryKey contains "omghfjlpggmjjaagoclmmobgdodcjboh" or RegistryKey contains "bibjcjfmgapbfoljiojpipaooddpkpai" or RegistryKey contains "mpcaainmfjjigeicjnlkdfajbioopjko" or RegistryKey contains "jljopmgdobloagejpohpldgkiellmfnc" or RegistryKey contains "lochiccbgeohimldjooaakjllnafhaid" or RegistryKey contains "nhnfcgpcbfclhfafjlooihdfghaeinfc" or RegistryKey contains "ookhnhpkphagefgdiemllfajmkdkcaim" or RegistryKey contains "namfblliamklmeodpcelkokjbffgmeoo" or RegistryKey contains "nbcojefnccbanplpoffopkoepjmhgdgh" or RegistryKey contains "majdfhpaihoncoakbjgbdhglocklcgno" or RegistryKey contains "lnfdmdhmfbimhhpaeocncdlhiodoblbd" or RegistryKey contains "eppiocemhmnlbhjplcgkofciiegomcon" or RegistryKey contains "cocfojppfigjeefejbpfmedgjbpchcng" or RegistryKey contains "foiopecknacmiihiocgdjgbjokkpkohc" or RegistryKey contains "hhdobjgopfphlmjbmnpglhfcgppchgje" or RegistryKey contains "jgbaghohigdbgbolncodkdlpenhcmcge" or RegistryKey contains "inligpkjkhbpifecbdjhmdpcfhnlelja" or RegistryKey contains "higioemojdadgdbhbbbkfbebbdlfjbip" or RegistryKey contains "hipncndjamdcmphkgngojegjblibadbe" or RegistryKey contains "iolonopooapdagdemdoaihahlfkncfgg" or RegistryKey contains "nhfjkakglbnnpkpldhjmpmmfefifedcj" or RegistryKey contains "jpgljfpmoofbmlieejglhonfofmahini" or RegistryKey contains "fgddmllnllkalaagkghckoinaemmogpe" or RegistryKey contains "ejkaocphofnobjdedneohbbiilggdlbi" or RegistryKey contains "keodbianoliadkoelloecbhllnpiocoi" or RegistryKey contains "hoapmlpnmpaehilehggglehfdlnoegck" or RegistryKey contains "poeojclicodamonabcabmapamjkkmnnk" or RegistryKey contains "dfkdflfgjdajbhocmfjolpjbebdkcjog" or RegistryKey contains "kcdahmgmaagjhocpipbodaokikjkampi" or RegistryKey contains "klnkiajpmpkkkgpgbogmcgfjhdoljacg" or RegistryKey contains "lneaocagcijjdpkcabeanfpdbmapcjjg" or RegistryKey contains "pgfpignfckbloagkfnamnolkeaecfgfh" or RegistryKey contains "jplnlifepflhkbkgonidnobkakhmpnmh" or RegistryKey contains "jliodmnojccaloajphkingdnpljdhdok" or RegistryKey contains "hnmpcagpplmpfojmgmnngilcnanddlhb" or RegistryKey contains "ffbkglfijbcbgblgflchnbphjdllaogb" or RegistryKey contains "kcndmbbelllkmioekdagahekgimemejo" or RegistryKey contains "jdgilggpfmjpbodmhndmhojklgfdlhob" or RegistryKey contains "bihhflimonbpcfagfadcnbbdngpopnjb" or RegistryKey contains "ppajinakbfocjfnijggfndbdmjggcmde" or RegistryKey contains "oofgbpoabipfcfjapgnbbjjaenockbdp" or RegistryKey contains "bhnhkdgoefpmekcgnccpnhjfdgicfebm" or RegistryKey contains "knmmpciebaoojcpjjoeonlcjacjopcpf" or RegistryKey contains "dhadilbmmjiooceioladdphemaliiobo" or RegistryKey contains "jedieiamjmoflcknjdjhpieklepfglin" or RegistryKey contains "mhngpdlhojliikfknhfaglpnddniijfh" or RegistryKey contains "omdakjcmkglenbhjadbccaookpfjihpa" or RegistryKey contains "npgimkapccfidfkfoklhpkgmhgfejhbj" or RegistryKey contains "akeehkgglkmpapdnanoochpfmeghfdln" or RegistryKey contains "gbmdmipapolaohpinhblmcnpmmlgfgje" or RegistryKey contains "aigmfoeogfnljhnofglledbhhfegannp" or RegistryKey contains "cgojmfochfikphincbhokimmmjenhhgk" or RegistryKey contains "ficajfeojakddincjafebjmfiefcmanc" or RegistryKey contains "ifnaibldjfdmaipaddffmgcmekjhiloa" or RegistryKey contains "jbnmpdkcfkochpanomnkhnafobppmccn" or RegistryKey contains "apcfdffemoinopelidncddjbhkiblecc" or RegistryKey contains "mjolnodfokkkaichkcjipfgblbfgojpa" or RegistryKey contains "oifjbnnafapeiknapihcmpeodaeblbkn" or RegistryKey contains "plpmggfglncceinmilojdkiijhmajkjh" or RegistryKey contains "mjnbclmflcpookeapghfhapeffmpodij" or RegistryKey contains "bblcccknbdbplgmdjnnikffefhdlobhp" or RegistryKey contains "aojlhgbkmkahabcmcpifbolnoichfeep" or RegistryKey contains "lcmammnjlbmlbcaniggmlejfjpjagiia" or RegistryKey contains "knajdeaocbpmfghhmijicidfcmdgbdpm" or RegistryKey contains "bdlcnpceagnkjnjlbbbcepohejbheilk" or RegistryKey contains "edknjdjielmpdlnllkdmaghlbpnmjmgb" or RegistryKey contains "eidnihaadmmancegllknfbliaijfmkgo" or RegistryKey contains "ckiahbcmlmkpfiijecbpflfahoimklke" or RegistryKey contains "macdlemfnignjhclfcfichcdhiomgjjb" or RegistryKey contains "chioafkonnhbpajpengbalkececleldf" or RegistryKey contains "amnoibeflfphhplmckdbiajkjaoomgnj" or RegistryKey contains "llbhddikeonkpbhpncnhialfbpnilcnc" or RegistryKey contains "pcienlhnoficegnepejpfiklggkioccm" or RegistryKey contains "iocnglnmfkgfedpcemdflhkchokkfeii" or RegistryKey contains "igahhbkcppaollcjeaaoapkijbnphfhb" or RegistryKey contains "njpmifchgidinihmijhcfpbdmglecdlb" or RegistryKey contains "ggackgngljinccllcmbgnpgpllcjepgc" or RegistryKey contains "kchocjcihdgkoplngjemhpplmmloanja" or RegistryKey contains "bnijmipndnicefcdbhgcjoognndbgkep" or RegistryKey contains "lklekjodgannjcccdlbicoamibgbdnmi" or RegistryKey contains "dbdbnchagbkhknegmhgikkleoogjcfge" or RegistryKey contains "egblhcjfjmbjajhjhpmnlekffgaemgfh" or RegistryKey contains "ehbhfpfdkmhcpaehaooegfdflljcnfec" or RegistryKey contains "bkkgdjpomdnfemhhkalfkogckjdkcjkg" or RegistryKey contains "almalgbpmcfpdaopimbdchdliminoign" or RegistryKey contains "akkbkhnikoeojlhiiomohpdnkhbkhieh" or RegistryKey contains "gbfgfbopcfokdpkdigfmoeaajfmpkbnh" or RegistryKey contains "bniikohfmajhdcffljgfeiklcbgffppl" or RegistryKey contains "lejgfmmlngaigdmmikblappdafcmkndb" or RegistryKey contains "ffhhkmlgedgcliajaedapkdfigdobcif" or RegistryKey contains "gcknhkkoolaabfmlnjonogaaifnjlfnp" or RegistryKey contains "pooljnboifbodgifngpppfklhifechoe" or RegistryKey contains "fjoaledfpmneenckfbpdfhkmimnjocfa" or RegistryKey contains "aakchaleigkohafkfjfjbblobjifikek" or RegistryKey contains "dpplabbmogkhghncfbfdeeokoefdjegm" or RegistryKey contains "padekgcemlokbadohgkifijomclgjgif" or RegistryKey contains "bfidboloedlamgdmenmlbipfnccokknp")DeviceRegistryEvents
| where (RegistryKey contains "Software\\Wow6432Node\\Google\\Chrome\\Extensions" and RegistryKey endswith "update_url") and (RegistryKey contains "fdcgdnkidjaadafnichfpabhfomcebme" or RegistryKey contains "fcfhplploccackoneaefokcmbjfbkenj" or RegistryKey contains "bihmplhobchoageeokmgbdihknkjbknd" or RegistryKey contains "gkojfkhlekighikafcpjkiklfbnlmeio" or RegistryKey contains "jajilbjjinjmgcibalaakngmkilboobh" or RegistryKey contains "gjknjjomckknofjidppipffbpoekiipm" or RegistryKey contains "nabbmpekekjknlbkgpodfndbodhijjem" or RegistryKey contains "kpiecbcckbofpmkkkdibbllpinceiihk" or RegistryKey contains "nlbejmccbhkncgokjcmghpfloaajcffj" or RegistryKey contains "omghfjlpggmjjaagoclmmobgdodcjboh" or RegistryKey contains "bibjcjfmgapbfoljiojpipaooddpkpai" or RegistryKey contains "mpcaainmfjjigeicjnlkdfajbioopjko" or RegistryKey contains "jljopmgdobloagejpohpldgkiellmfnc" or RegistryKey contains "lochiccbgeohimldjooaakjllnafhaid" or RegistryKey contains "nhnfcgpcbfclhfafjlooihdfghaeinfc" or RegistryKey contains "ookhnhpkphagefgdiemllfajmkdkcaim" or RegistryKey contains "namfblliamklmeodpcelkokjbffgmeoo" or RegistryKey contains "nbcojefnccbanplpoffopkoepjmhgdgh" or RegistryKey contains "majdfhpaihoncoakbjgbdhglocklcgno" or RegistryKey contains "lnfdmdhmfbimhhpaeocncdlhiodoblbd" or RegistryKey contains "eppiocemhmnlbhjplcgkofciiegomcon" or RegistryKey contains "cocfojppfigjeefejbpfmedgjbpchcng" or RegistryKey contains "foiopecknacmiihiocgdjgbjokkpkohc" or RegistryKey contains "hhdobjgopfphlmjbmnpglhfcgppchgje" or RegistryKey contains "jgbaghohigdbgbolncodkdlpenhcmcge" or RegistryKey contains "inligpkjkhbpifecbdjhmdpcfhnlelja" or RegistryKey contains "higioemojdadgdbhbbbkfbebbdlfjbip" or RegistryKey contains "hipncndjamdcmphkgngojegjblibadbe" or RegistryKey contains "iolonopooapdagdemdoaihahlfkncfgg" or RegistryKey contains "nhfjkakglbnnpkpldhjmpmmfefifedcj" or RegistryKey contains "jpgljfpmoofbmlieejglhonfofmahini" or RegistryKey contains "fgddmllnllkalaagkghckoinaemmogpe" or RegistryKey contains "ejkaocphofnobjdedneohbbiilggdlbi" or RegistryKey contains "keodbianoliadkoelloecbhllnpiocoi" or RegistryKey contains "hoapmlpnmpaehilehggglehfdlnoegck" or RegistryKey contains "poeojclicodamonabcabmapamjkkmnnk" or RegistryKey contains "dfkdflfgjdajbhocmfjolpjbebdkcjog" or RegistryKey contains "kcdahmgmaagjhocpipbodaokikjkampi" or RegistryKey contains "klnkiajpmpkkkgpgbogmcgfjhdoljacg" or RegistryKey contains "lneaocagcijjdpkcabeanfpdbmapcjjg" or RegistryKey contains "pgfpignfckbloagkfnamnolkeaecfgfh" or RegistryKey contains "jplnlifepflhkbkgonidnobkakhmpnmh" or RegistryKey contains "jliodmnojccaloajphkingdnpljdhdok" or RegistryKey contains "hnmpcagpplmpfojmgmnngilcnanddlhb" or RegistryKey contains "ffbkglfijbcbgblgflchnbphjdllaogb" or RegistryKey contains "kcndmbbelllkmioekdagahekgimemejo" or RegistryKey contains "jdgilggpfmjpbodmhndmhojklgfdlhob" or RegistryKey contains "bihhflimonbpcfagfadcnbbdngpopnjb" or RegistryKey contains "ppajinakbfocjfnijggfndbdmjggcmde" or RegistryKey contains "oofgbpoabipfcfjapgnbbjjaenockbdp" or RegistryKey contains "bhnhkdgoefpmekcgnccpnhjfdgicfebm" or RegistryKey contains "knmmpciebaoojcpjjoeonlcjacjopcpf" or RegistryKey contains "dhadilbmmjiooceioladdphemaliiobo" or RegistryKey contains "jedieiamjmoflcknjdjhpieklepfglin" or RegistryKey contains "mhngpdlhojliikfknhfaglpnddniijfh" or RegistryKey contains "omdakjcmkglenbhjadbccaookpfjihpa" or RegistryKey contains "npgimkapccfidfkfoklhpkgmhgfejhbj" or RegistryKey contains "akeehkgglkmpapdnanoochpfmeghfdln" or RegistryKey contains "gbmdmipapolaohpinhblmcnpmmlgfgje" or RegistryKey contains "aigmfoeogfnljhnofglledbhhfegannp" or RegistryKey contains "cgojmfochfikphincbhokimmmjenhhgk" or RegistryKey contains "ficajfeojakddincjafebjmfiefcmanc" or RegistryKey contains "ifnaibldjfdmaipaddffmgcmekjhiloa" or RegistryKey contains "jbnmpdkcfkochpanomnkhnafobppmccn" or RegistryKey contains "apcfdffemoinopelidncddjbhkiblecc" or RegistryKey contains "mjolnodfokkkaichkcjipfgblbfgojpa" or RegistryKey contains "oifjbnnafapeiknapihcmpeodaeblbkn" or RegistryKey contains "plpmggfglncceinmilojdkiijhmajkjh" or RegistryKey contains "mjnbclmflcpookeapghfhapeffmpodij" or RegistryKey contains "bblcccknbdbplgmdjnnikffefhdlobhp" or RegistryKey contains "aojlhgbkmkahabcmcpifbolnoichfeep" or RegistryKey contains "lcmammnjlbmlbcaniggmlejfjpjagiia" or RegistryKey contains "knajdeaocbpmfghhmijicidfcmdgbdpm" or RegistryKey contains "bdlcnpceagnkjnjlbbbcepohejbheilk" or RegistryKey contains "edknjdjielmpdlnllkdmaghlbpnmjmgb" or RegistryKey contains "eidnihaadmmancegllknfbliaijfmkgo" or RegistryKey contains "ckiahbcmlmkpfiijecbpflfahoimklke" or RegistryKey contains "macdlemfnignjhclfcfichcdhiomgjjb" or RegistryKey contains "chioafkonnhbpajpengbalkececleldf" or RegistryKey contains "amnoibeflfphhplmckdbiajkjaoomgnj" or RegistryKey contains "llbhddikeonkpbhpncnhialfbpnilcnc" or RegistryKey contains "pcienlhnoficegnepejpfiklggkioccm" or RegistryKey contains "iocnglnmfkgfedpcemdflhkchokkfeii" or RegistryKey contains "igahhbkcppaollcjeaaoapkijbnphfhb" or RegistryKey contains "njpmifchgidinihmijhcfpbdmglecdlb" or RegistryKey contains "ggackgngljinccllcmbgnpgpllcjepgc" or RegistryKey contains "kchocjcihdgkoplngjemhpplmmloanja" or RegistryKey contains "bnijmipndnicefcdbhgcjoognndbgkep" or RegistryKey contains "lklekjodgannjcccdlbicoamibgbdnmi" or RegistryKey contains "dbdbnchagbkhknegmhgikkleoogjcfge" or RegistryKey contains "egblhcjfjmbjajhjhpmnlekffgaemgfh" or RegistryKey contains "ehbhfpfdkmhcpaehaooegfdflljcnfec" or RegistryKey contains "bkkgdjpomdnfemhhkalfkogckjdkcjkg" or RegistryKey contains "almalgbpmcfpdaopimbdchdliminoign" or RegistryKey contains "akkbkhnikoeojlhiiomohpdnkhbkhieh" or RegistryKey contains "gbfgfbopcfokdpkdigfmoeaajfmpkbnh" or RegistryKey contains "bniikohfmajhdcffljgfeiklcbgffppl" or RegistryKey contains "lejgfmmlngaigdmmikblappdafcmkndb" or RegistryKey contains "ffhhkmlgedgcliajaedapkdfigdobcif" or RegistryKey contains "gcknhkkoolaabfmlnjonogaaifnjlfnp" or RegistryKey contains "pooljnboifbodgifngpppfklhifechoe" or RegistryKey contains "fjoaledfpmneenckfbpdfhkmimnjocfa" or RegistryKey contains "aakchaleigkohafkfjfjbblobjifikek" or RegistryKey contains "dpplabbmogkhghncfbfdeeokoefdjegm" or RegistryKey contains "padekgcemlokbadohgkifijomclgjgif" or RegistryKey contains "bfidboloedlamgdmenmlbipfnccokknp")| Sentinel Table | Notes |
|---|---|
imRegistry | Ensure this data connector is enabled |