0b96d9af471c99a3672ca155220fc5cb453fc587ed69b68adc0d6d568af0a9d6

Resubmissions

16/06/2024, 18:21

240616-wzfn9avhrn 7

16/06/2024, 17:48

240616-wdm67s1alg 8

Analysis

max time kernel
377s
max time network
382s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MTS_Remoteplay-install-win64.exe
Size

140.1MB
MD5

bddf7baaf20b9f7dc584b47addfa77ae
SHA1

22e2e824aab479111f4815527ec466e6f1a525d8
SHA256

0b96d9af471c99a3672ca155220fc5cb453fc587ed69b68adc0d6d568af0a9d6
SHA512

a5c9be1425a809c23f80b45b8b10b76c95df7c27037b7d7ff3afabb0ad621f1067740bd820b93794580a988db570515f49b40889658f0f3a03b9c9a8d83996b5
SSDEEP

3145728:vIATPSb+p0c373VuIigW6SKAACRVGq/SEs4egGAQ3M2MdRc:RKb+0c38ZXfYD57jAQ3Mbm

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\ViGEmBus.sys	DrvInst.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	rds-wrtc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	rds-wrtc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	rds-wrtc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	rds-wrtc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	rds-wrtc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	rds-wrtc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	rds-wrtc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	rds-wrtc.exe

Executes dropped EXE 15 IoCs

pid	Process
4596	devcon.exe
3452	rds-aux.exe
3636	rds-aux.exe
2400	rds-wrtc.exe
2324	rds-watcher.exe
1864	rds-wrtc.exe
4676	rds-wrtc.exe
2740	rds-wrtc.exe
2492	rds-wrtc.exe
1824	rds-wrtc.exe
2928	rds-wrtc.exe
2916	rds-wrtc.exe
3356	crashpad_handler.exe
1972	rds-wrtc.exe
3484	rds-wrtc.exe

Loads dropped DLL 64 IoCs

pid	Process
3628	MTS_Remoteplay-install-win64.exe
3628	MTS_Remoteplay-install-win64.exe
3628	MTS_Remoteplay-install-win64.exe
3628	MTS_Remoteplay-install-win64.exe
3628	MTS_Remoteplay-install-win64.exe
3628	MTS_Remoteplay-install-win64.exe
4008	MsiExec.exe
3628	MTS_Remoteplay-install-win64.exe
3452	rds-aux.exe
3452	rds-aux.exe
3452	rds-aux.exe
3452	rds-aux.exe
3452	rds-aux.exe
3452	rds-aux.exe
3636	rds-aux.exe
3636	rds-aux.exe
3636	rds-aux.exe
3636	rds-aux.exe
3636	rds-aux.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2324	rds-watcher.exe
2324	rds-watcher.exe
2324	rds-watcher.exe
1864	rds-wrtc.exe
1864	rds-wrtc.exe
1864	rds-wrtc.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
34	2208	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\{730968cb-f302-0a43-96fb-9a4ad4e4f476}\SET16A0.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{730968cb-f302-0a43-96fb-9a4ad4e4f476}\SET16B1.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{730968cb-f302-0a43-96fb-9a4ad4e4f476}\vigembus.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_f92aab85c34952aa\ViGEmBus.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{730968cb-f302-0a43-96fb-9a4ad4e4f476}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{730968cb-f302-0a43-96fb-9a4ad4e4f476}\SET16A0.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{730968cb-f302-0a43-96fb-9a4ad4e4f476}\SET16B2.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_f92aab85c34952aa\ViGEmBus.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_f92aab85c34952aa\vigembus.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{730968cb-f302-0a43-96fb-9a4ad4e4f476}\SET16B1.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{730968cb-f302-0a43-96fb-9a4ad4e4f476}\ViGEmBus.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{730968cb-f302-0a43-96fb-9a4ad4e4f476}\ViGEmBus.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{730968cb-f302-0a43-96fb-9a4ad4e4f476}\SET16B2.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_f92aab85c34952aa\vigembus.PNF	devcon.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vigembus.inf_amd64_f92aab85c34952aa\ViGEmBus.sys	DrvInst.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\MTS Remote play\bin\liblzma.dll	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\locales\ms.pak	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\fmt.dll	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\resources\static\css\main.1bba0e81.css.map	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\opencv_photo4.dll	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\rds-hooks-x64.dll	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\resources\library\static\media\fail.dff3538aea686d5a1680e6104ffc415c.svg	MTS_Remoteplay-install-win64.exe
File opened for modification	C:\Program Files\MTS Remote play\bin\debug.log	rds-wrtc.exe
File created	C:\Program Files\MTS Remote play\bin\boost_random-vc143-mt-x64-1_82.dll	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\libwebpmux.dll	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\opencv_videoio4.dll	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\locales\bg.pak	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\resources\library\static\media\Accept.a86363cc05f782321584.svg	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\boost_system-vc143-mt-x64-1_82.dll	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\crashpad_handler.exe	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\opencv_core4.dll	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\resources\notification\asset-manifest.json	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\resources\static\media\MTSSans-Bold__W.4ee746071998651dde8d.woff2	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\boost_math_c99-vc143-mt-x64-1_82.dll	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\msvcp140_1.dll	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\opencv_video4.dll	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\locales\ja.pak	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\resources\notification\index.html	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\GPUCache\data_3	rds-wrtc.exe
File created	C:\Program Files\MTS Remote play\bin\boost_url-vc143-mt-x64-1_82.dll	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\libwebpdemux.dll	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\locales\uk.pak	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\resources\library\static\media\MTSWide-Light.2621a1fbf04fd706f2ff.woff2	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\resources\library\static\media\button_x.0c8b86b3f79cce8be0e35d109e5f47bd.svg	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\resources\static\media\warning.a37b755661ab17cb1bd77fd907ebaccb.svg	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\bz2.dll	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\locales\en-US.pak	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\resources\library\static\media\loader.47ddb9cdebc28b893b90.png	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\resources\library\static\media\trash.227f0b0a5b3b3ca0fedae152483ec5c5.svg	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\resources\notification\static\media\MTSSans-Bold__W.4ee746071998651dde8d.woff2	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\resources\static\js\main.dd7c58ec.js.LICENSE.txt	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\tmp\ViGEmBusSetup_x64.msi	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\GameMapper.db	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\opencv_calib3d4.dll	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\resources\library\static\media\MTSCompact-Medium.36c2e6be7399842f0466.woff2	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\resources\static\media\important.b865e6d751d2dcec339fc898e67bc3c6.svg	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe	msiexec.exe
File created	C:\Program Files\MTS Remote play\bin\libprotobuf-lite.dll	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\openjp2.dll	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\locales\es-419.pak	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\locales\nb.pak	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\resources\library\static\media\folder.0988416d67a7e1c484b4d85e99d45b3a.svg	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\resources\notification\static\js\main.905537bd.js.LICENSE.txt	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\resources\notification\static\media\MTSSans-Regular__W.61a1491eb2fb26a77277.woff2	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\opencv_features2d4.dll	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\rds-hooks-host-x86.exe	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\msvcp140_2.dll	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\locales\vi.pak	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\resources\library\static\media\button_a.f6b16ec621e3efcfa4c02d0fdd4a788e.svg	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\resources\static\media\checkmark.f19b0be9bad5ba41009bda2e3f00ada3.svg	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\GPUCache\data_0	rds-wrtc.exe
File created	C:\Program Files\MTS Remote play\bin\boost_regex-vc143-mt-x64-1_82.dll	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\msvcp140.dll	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\ViGEmBus.cat	msiexec.exe
File created	C:\Program Files\MTS Remote play\bin\boost_math_tr1l-vc143-mt-x64-1_82.dll	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\zstd.dll	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\zlib1.dll	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\vk_swiftshader.dll	MTS_Remoteplay-install-win64.exe
File created	C:\Program Files\MTS Remote play\bin\locales\et.pak	MTS_Remoteplay-install-win64.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI13F0.tmp	msiexec.exe
File created	C:\Windows\Installer\e5812e9.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\{93D91F60-7C94-4A79-863F-EA713D2EB3F3}\ViGEm.ico	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	devcon.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI146E.tmp	msiexec.exe
File created	C:\Windows\Installer\e5812e7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5812e7.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{93D91F60-7C94-4A79-863F-EA713D2EB3F3}	msiexec.exe
File created	C:\Windows\Installer\{93D91F60-7C94-4A79-863F-EA713D2EB3F3}\ViGEm.ico	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c49f428bb6d5aae20000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c49f428b0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c49f428b000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc49f428b000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c49f428b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133630341905878421"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	devcon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\06F19D3949C797A468F3AE17D3E23B3F	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\PackageCode = "0009B4F754538334F9B3C4D0AA2552EE"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\SourceList\Net\1 = "C:\\Program Files\\MTS Remote play\\tmp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\SourceList\LastUsedSource = "n;1;C:\\Program Files\\MTS Remote play\\tmp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ED20A4A03EB04FB4190FE14AA72D8618	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ED20A4A03EB04FB4190FE14AA72D8618\06F19D3949C797A468F3AE17D3E23B3F	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\ProductName = "Nefarius Virtual Gamepad Emulation Bus Driver"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\Version = "17891661"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\ProductIcon = "C:\\Windows\\Installer\\{93D91F60-7C94-4A79-863F-EA713D2EB3F3}\\ViGEm.ico"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\SourceList\PackageName = "ViGEmBusSetup_x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\06F19D3949C797A468F3AE17D3E23B3F\ProductFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\AuthorizedLUAApp = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06F19D3949C797A468F3AE17D3E23B3F\Clients = 3a0000000000	msiexec.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	rds-wrtc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	rds-wrtc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	rds-wrtc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	rds-wrtc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	rds-wrtc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	rds-wrtc.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1748	msiexec.exe
1748	msiexec.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
1864	rds-wrtc.exe
1864	rds-wrtc.exe
1864	rds-wrtc.exe
1864	rds-wrtc.exe
4676	rds-wrtc.exe
4676	rds-wrtc.exe
4676	rds-wrtc.exe
4676	rds-wrtc.exe
2740	rds-wrtc.exe
2740	rds-wrtc.exe
2740	rds-wrtc.exe
2740	rds-wrtc.exe
2492	rds-wrtc.exe
2492	rds-wrtc.exe
2492	rds-wrtc.exe
2492	rds-wrtc.exe
1824	rds-wrtc.exe
1824	rds-wrtc.exe
1824	rds-wrtc.exe
1824	rds-wrtc.exe
2928	rds-wrtc.exe
2928	rds-wrtc.exe
2916	rds-wrtc.exe
2916	rds-wrtc.exe
2928	rds-wrtc.exe
2928	rds-wrtc.exe
2916	rds-wrtc.exe
2916	rds-wrtc.exe
1972	rds-wrtc.exe
1972	rds-wrtc.exe
3484	rds-wrtc.exe
3484	rds-wrtc.exe
3484	rds-wrtc.exe
3484	rds-wrtc.exe
1972	rds-wrtc.exe
1972	rds-wrtc.exe
2324	rds-watcher.exe
2324	rds-watcher.exe
2400	rds-wrtc.exe
2400	rds-wrtc.exe
4664	chrome.exe
4664	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2208	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2208	msiexec.exe
Token: SeSecurityPrivilege	1748	msiexec.exe
Token: SeCreateTokenPrivilege	2208	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2208	msiexec.exe
Token: SeLockMemoryPrivilege	2208	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2208	msiexec.exe
Token: SeMachineAccountPrivilege	2208	msiexec.exe
Token: SeTcbPrivilege	2208	msiexec.exe
Token: SeSecurityPrivilege	2208	msiexec.exe
Token: SeTakeOwnershipPrivilege	2208	msiexec.exe
Token: SeLoadDriverPrivilege	2208	msiexec.exe
Token: SeSystemProfilePrivilege	2208	msiexec.exe
Token: SeSystemtimePrivilege	2208	msiexec.exe
Token: SeProfSingleProcessPrivilege	2208	msiexec.exe
Token: SeIncBasePriorityPrivilege	2208	msiexec.exe
Token: SeCreatePagefilePrivilege	2208	msiexec.exe
Token: SeCreatePermanentPrivilege	2208	msiexec.exe
Token: SeBackupPrivilege	2208	msiexec.exe
Token: SeRestorePrivilege	2208	msiexec.exe
Token: SeShutdownPrivilege	2208	msiexec.exe
Token: SeDebugPrivilege	2208	msiexec.exe
Token: SeAuditPrivilege	2208	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2208	msiexec.exe
Token: SeChangeNotifyPrivilege	2208	msiexec.exe
Token: SeRemoteShutdownPrivilege	2208	msiexec.exe
Token: SeUndockPrivilege	2208	msiexec.exe
Token: SeSyncAgentPrivilege	2208	msiexec.exe
Token: SeEnableDelegationPrivilege	2208	msiexec.exe
Token: SeManageVolumePrivilege	2208	msiexec.exe
Token: SeImpersonatePrivilege	2208	msiexec.exe
Token: SeCreateGlobalPrivilege	2208	msiexec.exe
Token: SeBackupPrivilege	4896	vssvc.exe
Token: SeRestorePrivilege	4896	vssvc.exe
Token: SeAuditPrivilege	4896	vssvc.exe
Token: SeBackupPrivilege	1748	msiexec.exe
Token: SeRestorePrivilege	1748	msiexec.exe
Token: SeRestorePrivilege	1748	msiexec.exe
Token: SeTakeOwnershipPrivilege	1748	msiexec.exe
Token: SeRestorePrivilege	1748	msiexec.exe
Token: SeTakeOwnershipPrivilege	1748	msiexec.exe
Token: SeRestorePrivilege	1748	msiexec.exe
Token: SeTakeOwnershipPrivilege	1748	msiexec.exe
Token: SeRestorePrivilege	1748	msiexec.exe
Token: SeTakeOwnershipPrivilege	1748	msiexec.exe
Token: SeRestorePrivilege	1748	msiexec.exe
Token: SeTakeOwnershipPrivilege	1748	msiexec.exe
Token: SeRestorePrivilege	1748	msiexec.exe
Token: SeTakeOwnershipPrivilege	1748	msiexec.exe
Token: SeRestorePrivilege	1748	msiexec.exe
Token: SeTakeOwnershipPrivilege	1748	msiexec.exe
Token: SeRestorePrivilege	1748	msiexec.exe
Token: SeTakeOwnershipPrivilege	1748	msiexec.exe
Token: SeRestorePrivilege	1748	msiexec.exe
Token: SeTakeOwnershipPrivilege	1748	msiexec.exe
Token: SeRestorePrivilege	1748	msiexec.exe
Token: SeTakeOwnershipPrivilege	1748	msiexec.exe
Token: SeRestorePrivilege	1748	msiexec.exe
Token: SeTakeOwnershipPrivilege	1748	msiexec.exe
Token: SeRestorePrivilege	1748	msiexec.exe
Token: SeTakeOwnershipPrivilege	1748	msiexec.exe
Token: SeRestorePrivilege	1748	msiexec.exe
Token: SeTakeOwnershipPrivilege	1748	msiexec.exe
Token: SeRestorePrivilege	1748	msiexec.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2208	msiexec.exe
2208	msiexec.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 2208	3628	MTS_Remoteplay-install-win64.exe	88
PID 3628 wrote to memory of 2208	3628	MTS_Remoteplay-install-win64.exe	88
PID 3628 wrote to memory of 2208	3628	MTS_Remoteplay-install-win64.exe	88
PID 1748 wrote to memory of 4796	1748	msiexec.exe	95
PID 1748 wrote to memory of 4796	1748	msiexec.exe	95
PID 1748 wrote to memory of 4008	1748	msiexec.exe	97
PID 1748 wrote to memory of 4008	1748	msiexec.exe	97
PID 1748 wrote to memory of 4008	1748	msiexec.exe	97
PID 4008 wrote to memory of 4596	4008	MsiExec.exe	98
PID 4008 wrote to memory of 4596	4008	MsiExec.exe	98
PID 2736 wrote to memory of 4036	2736	svchost.exe	101
PID 2736 wrote to memory of 4036	2736	svchost.exe	101
PID 2736 wrote to memory of 4144	2736	svchost.exe	102
PID 2736 wrote to memory of 4144	2736	svchost.exe	102
PID 3628 wrote to memory of 3452	3628	MTS_Remoteplay-install-win64.exe	103
PID 3628 wrote to memory of 3452	3628	MTS_Remoteplay-install-win64.exe	103
PID 2400 wrote to memory of 2324	2400	rds-wrtc.exe	107
PID 2400 wrote to memory of 2324	2400	rds-wrtc.exe	107
PID 2400 wrote to memory of 1864	2400	rds-wrtc.exe	109
PID 2400 wrote to memory of 1864	2400	rds-wrtc.exe	109
PID 2400 wrote to memory of 4676	2400	rds-wrtc.exe	110
PID 2400 wrote to memory of 4676	2400	rds-wrtc.exe	110
PID 2400 wrote to memory of 2740	2400	rds-wrtc.exe	111
PID 2400 wrote to memory of 2740	2400	rds-wrtc.exe	111
PID 2400 wrote to memory of 2492	2400	rds-wrtc.exe	112
PID 2400 wrote to memory of 2492	2400	rds-wrtc.exe	112
PID 2400 wrote to memory of 1824	2400	rds-wrtc.exe	113
PID 2400 wrote to memory of 1824	2400	rds-wrtc.exe	113
PID 2400 wrote to memory of 2928	2400	rds-wrtc.exe	114
PID 2400 wrote to memory of 2928	2400	rds-wrtc.exe	114
PID 2400 wrote to memory of 1972	2400	rds-wrtc.exe	115
PID 2400 wrote to memory of 1972	2400	rds-wrtc.exe	115
PID 2400 wrote to memory of 2916	2400	rds-wrtc.exe	116
PID 2400 wrote to memory of 2916	2400	rds-wrtc.exe	116
PID 2400 wrote to memory of 3484	2400	rds-wrtc.exe	117
PID 2400 wrote to memory of 3484	2400	rds-wrtc.exe	117
PID 2400 wrote to memory of 3356	2400	rds-wrtc.exe	118
PID 2400 wrote to memory of 3356	2400	rds-wrtc.exe	118
PID 4664 wrote to memory of 3376	4664	chrome.exe	120
PID 4664 wrote to memory of 3376	4664	chrome.exe	120
PID 4664 wrote to memory of 3664	4664	chrome.exe	121
PID 4664 wrote to memory of 3664	4664	chrome.exe	121
PID 4664 wrote to memory of 3664	4664	chrome.exe	121
PID 4664 wrote to memory of 3664	4664	chrome.exe	121
PID 4664 wrote to memory of 3664	4664	chrome.exe	121
PID 4664 wrote to memory of 3664	4664	chrome.exe	121
PID 4664 wrote to memory of 3664	4664	chrome.exe	121
PID 4664 wrote to memory of 3664	4664	chrome.exe	121
PID 4664 wrote to memory of 3664	4664	chrome.exe	121
PID 4664 wrote to memory of 3664	4664	chrome.exe	121
PID 4664 wrote to memory of 3664	4664	chrome.exe	121
PID 4664 wrote to memory of 3664	4664	chrome.exe	121
PID 4664 wrote to memory of 3664	4664	chrome.exe	121
PID 4664 wrote to memory of 3664	4664	chrome.exe	121
PID 4664 wrote to memory of 3664	4664	chrome.exe	121
PID 4664 wrote to memory of 3664	4664	chrome.exe	121
PID 4664 wrote to memory of 3664	4664	chrome.exe	121
PID 4664 wrote to memory of 3664	4664	chrome.exe	121
PID 4664 wrote to memory of 3664	4664	chrome.exe	121
PID 4664 wrote to memory of 3664	4664	chrome.exe	121
PID 4664 wrote to memory of 3664	4664	chrome.exe	121
PID 4664 wrote to memory of 3664	4664	chrome.exe	121
PID 4664 wrote to memory of 3664	4664	chrome.exe	121
PID 4664 wrote to memory of 3664	4664	chrome.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\MTS_Remoteplay-install-win64.exe
"C:\Users\Admin\AppData\Local\Temp\MTS_Remoteplay-install-win64.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Windows\SysWOW64\msiexec.exe
  msiexec /i "C:\Program Files\MTS Remote play\tmp\ViGEmBusSetup_x64.msi"
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2208
- C:\Program Files\MTS Remote play\bin\rds-aux.exe
  "C:\Program Files\MTS Remote play\bin\rds-aux.exe" install
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3452

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4796
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding AFE37B0869535BC8CA96DD15F5427C66 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe
    "C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe" install "C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\ViGEmBus.inf" Nefarius\ViGEmBus\Gen1
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    - Modifies data under HKEY_USERS
    PID:4596

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "c:\program files\nefarius software solutions\virtual gamepad emulation bus driver\vigembus.inf" "9" "429a86e87" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "c:\program files\nefarius software solutions\virtual gamepad emulation bus driver"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4036
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\SYSTEM\0001" "C:\Windows\INF\oem3.inf" "oem3.inf:c14ce88408607219:ViGEmBus_Device:1.17.333.0:nefarius\vigembus\gen1," "429a86e87" "0000000000000154"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:4144

C:\Program Files\MTS Remote play\bin\rds-aux.exe
"C:\Program Files\MTS Remote play\bin\rds-aux.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3636

C:\Program Files\MTS Remote play\bin\rds-wrtc.exe
"C:\Program Files\MTS Remote play\bin\rds-wrtc.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Program Files\MTS Remote play\bin\rds-watcher.exe
  "C:\Program Files\MTS Remote play\bin\rds-watcher.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2324
- C:\Program Files\MTS Remote play\bin\rds-wrtc.exe
  "C:\Program Files\MTS Remote play\bin\rds-wrtc.exe" --type=gpu-process --field-trial-handle=2748,3292575326288825871,10024836083314543869,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Program Files\MTS Remote play\bin\debug.log" --mojo-platform-channel-handle=64 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1864
- C:\Program Files\MTS Remote play\bin\rds-wrtc.exe
  "C:\Program Files\MTS Remote play\bin\rds-wrtc.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2748,3292575326288825871,10024836083314543869,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --lang=en-US --service-sandbox-type=none --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Program Files\MTS Remote play\bin\debug.log" --mojo-platform-channel-handle=3168 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4676
- C:\Program Files\MTS Remote play\bin\rds-wrtc.exe
  "C:\Program Files\MTS Remote play\bin\rds-wrtc.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Program Files\MTS Remote play\bin\debug.log" --field-trial-handle=2748,3292575326288825871,10024836083314543869,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2740
- C:\Program Files\MTS Remote play\bin\rds-wrtc.exe
  "C:\Program Files\MTS Remote play\bin\rds-wrtc.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Program Files\MTS Remote play\bin\debug.log" --field-trial-handle=2748,3292575326288825871,10024836083314543869,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2492
- C:\Program Files\MTS Remote play\bin\rds-wrtc.exe
  "C:\Program Files\MTS Remote play\bin\rds-wrtc.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Program Files\MTS Remote play\bin\debug.log" --field-trial-handle=2748,3292575326288825871,10024836083314543869,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1824
- C:\Program Files\MTS Remote play\bin\rds-wrtc.exe
  "C:\Program Files\MTS Remote play\bin\rds-wrtc.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Program Files\MTS Remote play\bin\debug.log" --field-trial-handle=2748,3292575326288825871,10024836083314543869,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2928
- C:\Program Files\MTS Remote play\bin\rds-wrtc.exe
  "C:\Program Files\MTS Remote play\bin\rds-wrtc.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Program Files\MTS Remote play\bin\debug.log" --field-trial-handle=2748,3292575326288825871,10024836083314543869,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1972
- C:\Program Files\MTS Remote play\bin\rds-wrtc.exe
  "C:\Program Files\MTS Remote play\bin\rds-wrtc.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Program Files\MTS Remote play\bin\debug.log" --field-trial-handle=2748,3292575326288825871,10024836083314543869,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2916
- C:\Program Files\MTS Remote play\bin\rds-wrtc.exe
  "C:\Program Files\MTS Remote play\bin\rds-wrtc.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Program Files\MTS Remote play\bin\debug.log" --field-trial-handle=2748,3292575326288825871,10024836083314543869,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3680 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3484
- C:\Program Files\MTS Remote play\bin\crashpad_handler.exe
  "C:\Program Files\MTS Remote play\bin\crashpad_handler.exe" --no-rate-limit --database=C:\Users\Admin\AppData\Local\rds-wrtc\.sentry-native --metrics-dir=C:\Users\Admin\AppData\Local\rds-wrtc\.sentry-native --url=https://sentry.obs.mts.ru:443/api/69/minidump/?sentry_client=sentry.native/0.6.1&sentry_key=606e11e24bf14e45aa25def98398d676 --attachment=C:/Users/Admin/AppData/Local/rds-wrtc/rds-wrtc.log --attachment=C:\Users\Admin\AppData\Local\rds-wrtc\.sentry-native\cebd2518-e9ff-4ff7-14df-c8e9a153a59a.run\__sentry-event --attachment=C:\Users\Admin\AppData\Local\rds-wrtc\.sentry-native\cebd2518-e9ff-4ff7-14df-c8e9a153a59a.run\__sentry-breadcrumb1 --attachment=C:\Users\Admin\AppData\Local\rds-wrtc\.sentry-native\cebd2518-e9ff-4ff7-14df-c8e9a153a59a.run\__sentry-breadcrumb2 --initial-client-data=0xf98,0xf9c,0xfa0,0xf94,0xfa4,0x7ff8ed2fdfa0,0x7ff8ed2fdfc0,0x7ff8ed2fdfd8
  2⤵
  - Executes dropped EXE
  PID:3356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff8e96dab58,0x7ff8e96dab68,0x7ff8e96dab78
  2⤵
  PID:3376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1824 --field-trial-handle=1944,i,6648155444483719,6016792740051567218,131072 /prefetch:2
  2⤵
  PID:3664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=1944,i,6648155444483719,6016792740051567218,131072 /prefetch:8
  2⤵
  PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2248 --field-trial-handle=1944,i,6648155444483719,6016792740051567218,131072 /prefetch:8
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3136 --field-trial-handle=1944,i,6648155444483719,6016792740051567218,131072 /prefetch:1
  2⤵
  PID:4228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3168 --field-trial-handle=1944,i,6648155444483719,6016792740051567218,131072 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3648 --field-trial-handle=1944,i,6648155444483719,6016792740051567218,131072 /prefetch:1
  2⤵
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4020 --field-trial-handle=1944,i,6648155444483719,6016792740051567218,131072 /prefetch:8
  2⤵
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4536 --field-trial-handle=1944,i,6648155444483719,6016792740051567218,131072 /prefetch:8
  2⤵
  PID:3112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 --field-trial-handle=1944,i,6648155444483719,6016792740051567218,131072 /prefetch:8
  2⤵
  PID:4128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4960 --field-trial-handle=1944,i,6648155444483719,6016792740051567218,131072 /prefetch:8
  2⤵
  PID:412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4568 --field-trial-handle=1944,i,6648155444483719,6016792740051567218,131072 /prefetch:8
  2⤵
  PID:5140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4948 --field-trial-handle=1944,i,6648155444483719,6016792740051567218,131072 /prefetch:1
  2⤵
  PID:5512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 --field-trial-handle=1944,i,6648155444483719,6016792740051567218,131072 /prefetch:8
  2⤵
  PID:5836

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5812e8.rbs

Filesize
8KB

MD5
ad959c18059085cb6e84c39ba9ffca18

SHA1
79999d10147ffe0d1d9f12d29e8a5e54761c6fac

SHA256
b85220d091e980b14f68295d946ff02745d63af2e414bbccd034cb417a4731ec

SHA512
b45f9a3c2f11202801da42da9f599a61c8623536026552e900179f53c8fb833c2837d3abc336c1b4d7563994f4d75a16b352db26df0c26bcab4a841c6e8ec5f6

Download Submit
C:\Program Files\MTS Remote play\bin\fmt.dll

Filesize
134KB

MD5
94831f598a9529da528334ee67ccadb4

SHA1
4631d433d8b96893a373d74b5a2b35b0b8304d17

SHA256
12c649c1b74526186a8cb4209dbd1475650895b7b1047f96d6fe97d5802640c9

SHA512
557375f244f5487db2f29e95a346e725e1b74cbe54f3450149c4f0385939d0535540e3cc00228bfeccfdc31dd12667817f78cc3328c9c106223a36b8ae5bf86b

Download Submit
C:\Program Files\MTS Remote play\bin\jpeg62.dll

Filesize
608KB

MD5
3146c66f9aa0585d793323dd87958a3a

SHA1
4e96db927c2ff8d7b81049e5377a59e9718be64f

SHA256
2ac89b0d6abf641b812518b705cc9981cfac473a888ed81e66f7d10d5030d8b1

SHA512
3373a15bad87e4ab2ee0ea42a59d0ae555acc11f86032c462171d27a38b0a019bb31a22f7a2e0a2e1f5196f8faf5972daaa6682083bb6ec7ef9b3ef2623e4dc3

Download Submit
C:\Program Files\MTS Remote play\bin\libcrypto-3-x64.dll

Filesize
4.3MB

MD5
8f4a8f51e65ded7d0637a0f346657d68

SHA1
3148303908f671c696e06ef44e4b5d982f3606eb

SHA256
5692e46d097b3ac502a525fd12f8cec24b97dbfd8b737bcb799c097d54ef7bb4

SHA512
9c8422aba59dc33371ece0556f7c712d90f2e8a14e2f777061ace1c006ac803b72333360633208a06cc6bb5c3ba2b52e083d4cb27fa432a527af48305960e4eb

Download Submit
C:\Program Files\MTS Remote play\bin\libssl-3-x64.dll

Filesize
535KB

MD5
95ed230d64c64ca9166ce9560ddc1ddc

SHA1
0412cc95f7bb72d58063a68ae23d7f6c756c0948

SHA256
42a302569b216ddfd3223fa8c09ae64094b3ffaea9aaa0af20c45af8735f0ee8

SHA512
e0cedb68da2a21af586b7c1b77022af167d3eb8e82d00d8e0e12049a2d614a9e5e70074c83983dca3e4c84240b48aea2805ec043075af49fc8463e6af6c01920

Download Submit
C:\Program Files\MTS Remote play\bin\miniupnpc.dll

Filesize
47KB

MD5
af874436666b59001604dca3d512a62d

SHA1
6ce884d6a80da119ac3def8a78df846d3e55c825

SHA256
841ab2b6ef5f1666cec870d4eea90f13872f25c5b7cdcf695d081728f974fd1f

SHA512
c112a8994cbce5e06f6be9726dfe29d6be7df2257a66e04b424c3556688728030e84d407fe1cad7b166969fed2c14d549ba75a24ccd9e5c09e3cf3b3d208ed11

Download Submit
C:\Program Files\MTS Remote play\bin\msvcp140.dll

Filesize
561KB

MD5
72f3d84384e888bf0d38852eb863026b

SHA1
8e6a0257591eb913ae7d0e975c56306b3f680b3f

SHA256
a4c2229bdc2a2a630acdc095b4d86008e5c3e3bc7773174354f3da4f5beb9cde

SHA512
6d53634bc51bd383358e0d55988d70aee6ed3897bc6ae5e0d2413bed27ecff4c8092020682cd089859023b02d9a1858ac42e64d59c38ba90fbaf89b656c539a6

Download Submit
C:\Program Files\MTS Remote play\bin\opencv_imgcodecs4.dll

Filesize
323KB

MD5
ec3db443fc32278aeb58f6dab7f714e7

SHA1
6be08eff55ac7199e1ae2e6df1043771a06e2016

SHA256
18116474d1eb0c9f53cfe714d52f13439cdf8de32ea16dc686977a3cd823eecb

SHA512
079e499a376ad546f8d9b2f61cfde79542f6081c4f637a2a8284a3c2ab17bc8a117501dd7f74cb3a8cc109ca5ba59e2668a361e23f114c4f08a274cef6e9329f

Download Submit
C:\Program Files\MTS Remote play\bin\opencv_imgproc4.dll

Filesize
4.7MB

MD5
c84a719970a1c346bec872950ef7ce1f

SHA1
79b65b5910684ed2e1cf2a4a5933087efb15de29

SHA256
6b966bcbf5490f3ed71b9baa7cb4dbc458290ba37fd411063161f4b37fd32ec2

SHA512
2edec35acb22673cd843ad9a37d679ee5610db3728e2f24e89a497ac5082a5199b30e1414f3fed75c106141768bfccc7509c610acc299454bc1848b46e1faa90

Download Submit
C:\Program Files\MTS Remote play\bin\opencv_photo4.dll

Filesize
631KB

MD5
f3c9d4a919773544c7f7d7024ef617d5

SHA1
11270a7a292b8171d12a3217beb1f6150e51dec6

SHA256
fd1a412f66e84e95d924cf1d2f12c44fec132bd3e04d2c349bce4fd43224f2fb

SHA512
36b4ab235514d63665109f0642c2ba19eb071dcef48298a3bf636056774839428cde1148968caa913feb9600b59efc131c2183a90e5ad91238c28b630ae6179c

Download Submit
C:\Program Files\MTS Remote play\bin\opus.dll

Filesize
389KB

MD5
068fb59f8bf66bc98b0c5cbec5d2f833

SHA1
2d4a4222ebe6c98c0a0546218c25fcc043f17337

SHA256
31b2cbac759c95900a38262aa584ee7b7a590533d0ebb61d2c3cafda28b7ed7a

SHA512
2349d1e9640a57e5e2e99601bb7e414f16e2813f9a8d8ff7d997cd1616f6e4731793b060a90309dacc31665430a667f87ba3e9c59a255bd0b100c115660ad37c

Download Submit
C:\Program Files\MTS Remote play\bin\rds-aux.exe

Filesize
3.2MB

MD5
a44818975b2ecec0b99f562cb1010589

SHA1
32275b2dec34521cc430ce5064e7c6c13cebd471

SHA256
5b5f4f9c59716b0105942105f1bdc7cc707533dd5edf1223e3d9c0239d8c9a6e

SHA512
80879d125615cb9d63643e297d73e884ae30c12811689fde10877e5267df18b677d8c6a6cb1154d68a606349290706cdcbbd8d6e3ebbd8d34054a646ddb43675

Download Submit
C:\Program Files\MTS Remote play\bin\rds-wrtc.exe

Filesize
18.2MB

MD5
43b432ef367fe13ac4bc32c72b37b613

SHA1
f976912ec736a688e3ea96223c15dc979b8a4cc7

SHA256
3096fc943ae217295e0b89169af2f629002a45af9d054d1c6d243d8a8ad61291

SHA512
31dbd5a12fcb718faae3ce02c22ceaedb29582e682d8ed52caf7e4c940eb39ff658ea0818fa455c59e64358b6ea56f31b4c182d862ae93bba6d7ab3978bd59ff

Download Submit
C:\Program Files\MTS Remote play\bin\sentry.dll

Filesize
256KB

MD5
046619d5829f595b2b46911e2787f132

SHA1
9d232bb49f22f613215d5d3d264acb01904b7003

SHA256
3d6e212b10e60272d5da55ca4a05eb466857c678313ffedc6de4ff18ff76ad92

SHA512
c28e2c1f604b13069c2f017657d7f7a9bb830a8395159881f7b07b49a34118b240a9fcbc9cf30de27e51fe03e100324fa22b2f29f02c49c627bd9b8394a2b339

Download Submit
C:\Program Files\MTS Remote play\bin\sqlite3.dll

Filesize
993KB

MD5
d7a776918bef07f70e40c856b626d2f2

SHA1
bb805727653ceeb21df93408a0d1579620958b9d

SHA256
775956f59c74b0552687ff5f55e4e8a4def6dd8b7fe4606ef71f735d1ade51f7

SHA512
3e154a236e21b12e5173096505259da8dd366d0c789647000d95f23ec5a6abe4288b0b7b560c3c6ca6f72338aa18c04475e1d04d6705167be070dc94ba00140d

Download Submit
C:\Program Files\MTS Remote play\bin\tesseract53.dll

Filesize
2.6MB

MD5
8c966b189578e9194693cf9afec3c9ae

SHA1
7a3cf1c0f361f88bb6bd19d62d84ecd6f68ba961

SHA256
ecba64c9a8a00abc4ca9a4f37e43f8ff2104a9834b7369c744ea5586b4c6f8f2

SHA512
c608f93c24783e05c0b338dc85446695794c374e11f50245ed4406a35a8a327d2db4465432cc8d8bd5afc6d98d869384a086482e520ddc30652c70934c8c39d9

Download Submit
C:\Program Files\MTS Remote play\bin\vcruntime140.dll

Filesize
117KB

MD5
caf9edded91c1f6c0022b278c16679aa

SHA1
4812da5eb86a93fb0adc5bb60a4980ee8b0ad33a

SHA256
02c6aa0e6e624411a9f19b0360a7865ab15908e26024510e5c38a9c08362c35a

SHA512
32ac84642a9656609c45a6b649b222829be572b5fdeb6d5d93acea203e02816cf6c06063334470e8106871bdc9f2f3c7f0d1d3e554da1832ba1490f644e18362

Download Submit
C:\Program Files\MTS Remote play\bin\vcruntime140_1.dll

Filesize
48KB

MD5
2bd576cbc5cb712935eb1b10e4d312f5

SHA1
dfa7a46012483837f47d8c870973a2dea786d9ff

SHA256
7dd9aa02e271c68ca6d5f18d651d23a15d7259715af43326578f7dde27f37637

SHA512
abbd3eb628d5b7809f49ae08e2436af3d1b69f8a38de71ede3d0cb6e771c7758e35986a0dc0743b763ad91fd8190084ee5a5fbe1ac6159eb03690ccc14c64542

Download Submit
C:\Program Files\MTS Remote play\tmp\ViGEmBusSetup_x64.msi

Filesize
856KB

MD5
d8d2cff2eae7f1d956e3f8a2edaf891d

SHA1
bc33e35ed5d60c492bd6733462bd6cbc19c2cd59

SHA256
5abbba8a4a07aaaeb50b4666183b2f243e0e5ad288026d2a9f3595ed237c4b28

SHA512
50d98dd7d81e309cf764da7d40e321270f2e5ebc387d7b35ddb414c2efcfaa1bf302e51d5dfd3fa4cf871a3449705dc5e57466a3e97fdd5c16f5af3cd3051447

Download Submit
C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\ViGEmBus.inf

Filesize
3KB

MD5
cd0027aa0f5a8a47a6596d880f06964b

SHA1
167b62bfd7471179cf68cb5b2f83c8365edf4875

SHA256
634b032a33cecbf2e43c46c5896a3c359cdda452c632da6396452419ffa301d6

SHA512
19563a3fc7d985ee48a158f6f051e5b8ba200a092b2f1e902024aa9c6a8d6f5a6f04b80c8ea0587bd23802dcfd7775a7a625164387ae61ded5124ccea61b8ef9

Download Submit
C:\Program Files\Nefarius Software Solutions\Virtual Gamepad Emulation Bus Driver\devcon.exe

Filesize
494KB

MD5
68d2ea8e31ce2f290c19611732d7c104

SHA1
9f72145d9b96a1c838041a3b1815835470018e33

SHA256
6591ea75bd60ab2e094b078ffe3de9011694a975c5c84ae8103aa18a73093dc3

SHA512
918ed578dc0c92e20a04536aaebaed7b0de4dfff49ff83ef5ee031e67862a687e40be59bd734e7d0d9da3189e6f586bf253a01cd3dd2b6e8b818f2dd251aea58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_9680AC525D270E357A3E938724263431

Filesize
471B

MD5
2d0c39bd003a649e1062336a134a85c7

SHA1
c1e282f7cb9b95946f9c8d22a0f4625620678d91

SHA256
93adecef70ce76aded6090a7e112db0b244215d87a91476fa54ef48b8446dda9

SHA512
32f829d9a5e01ce422db55555f320b2db0d899c11c7daa039f0de6687b4bcda408fde427038c50ffa2a3c72036c5aee7fb37aa726564d6d44747d8d53ee7c197

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_9680AC525D270E357A3E938724263431

Filesize
408B

MD5
e89f50a3ab010f2294943b0528cef613

SHA1
d3bf542b4edfc1a07a7195ebb8f1545b5edbb844

SHA256
3b6875a05db7700f089e610f32f77f2d5182cf73213d40372706a87cd02317b2

SHA512
94880a0c600b7a02032b15a104ef7e5384521da53a8ec888ea5a452a697e66838ae094ff3ebff5238835b8391e2cdb8b29a79c438cf993b12920b39a647b8b62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
67f7af5cc9f807f3386a6d4b6b084449

SHA1
c96ac0e7280dd9ceb7a9b60d4fb12f0b5bbe9ac1

SHA256
606242ef39dcd6e849e2f0d4087030c2856da82b76034fda2f3e91b8916577dc

SHA512
5893f0d77cf6e0e64e43bfe9a63b96d578045fe5fffccfcce6a5eb79c40a1aa9aaf628adacfe852543f7acc7760360f8ccf6c7eed201e3f4fbd554e4e34bcd09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e67b6d2bf22a318c74b63428a508ff91

SHA1
733d50af784dbcb0405647068c661fa1d18730ec

SHA256
a01e5f605dd652a0a80a209568ce867746beaaac81c38134acd06d4d5fa88703

SHA512
6c1629bf866d54963fcad1193673b05e73dcccc3ed3590f29f38c2f5ae21477ed74956eb050f7e3b54fa5063d2cf9958c32267dd579aa5989706c0310e789cc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
55ab4521b7663b4d6917d92beb5a3339

SHA1
0570e66b9ff1453aa28e92ac561dec7a28492aaf

SHA256
7895f54e4ce16f058eeefbe9d222555203ad39bad999d0e743df040f873b7f7a

SHA512
6ceb39d8a7d56dd99a85dca86a10458fabf8a1e0007610819c208c8f89b3a1b949c2ac440a4f32f0e37b7f279ec3aed801760ded8a0568fa482772bc1885ae9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
bf492f2e2828ea18650d60faa308218e

SHA1
8686af5b35037da3dcfcee66eaec9719adc96ea1

SHA256
5e0aa987b35b43522b36dfbdc6deba08828ba46d6768b469c5839b5c4d677ada

SHA512
1ff723442acaa8d4f8d6672fe28ef840a3122285a92647af3c797481d671dc12d832e3245d0653ba2189751ee77787f5ffb2756e8a5ebf49707516e47c0fa2d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
84573c141bb324561eb5b0258fd1557e

SHA1
58665dd2631ee8eaf8a80370fd20ad8f0a8960cb

SHA256
47e4051737ba2d8c9edcc13c413598df9eaf2ad69fd25f38c69969545dbb88be

SHA512
c325b9c3c003eab7a8e78a4cfadc8a55ca3809d0ec153386d8b7e40cd9fa636ab3a3e62078934f6d014399fdf65b869635af51053c3a08a8670c756669247d52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
926f8c83ac893aef3ba288af9e062bd0

SHA1
af45ce975cd8e5895f3b209914c158a0d94751a6

SHA256
6ac3bf17d28e8ac41baa39bf9d53e2dd48a462a42f3ee03790b5967254c915ac

SHA512
6a96c2a3795c1e1a09674c6814f0fe02a082db4b15524640c27a4315d38e1d1db47ad40f02e737d3aa97229f2e5b28ab5eab676d53244562094097fba7799cf3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
35cfb19203281c7c9906838e49fac85b

SHA1
d830a775b89a98c64f6d27ad95976d9721aaf2b3

SHA256
4fd58fb41ea1f4b51e62c2debe398ac0ebca98073478bf7b7f30f0d1a589cd49

SHA512
15d432bdf7e45451da946a7b8ca8e22a63ed0924ced77b9305e52e5a0db8c61656b2301ccc93ee8a3f97f7ee138d1789f53a09017604cd33973ff56e27befc13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
fa2960fd91bda485e05ff221e08e3156

SHA1
a17ab326867ab4013977b9834942b6b21b6c21e6

SHA256
06085675ec4cbbfcd3a4ae4f5f27f1f35efd44a0b9d88abaed7000b72eb870b9

SHA512
855edb0d4231f67f62e0ce99950210438e4c3678e53ffb01edafc7356b8ba1cc5f83d8aa06187577dd6cf861360bb9b1e22a92d908a52224bc6fce72e0c41f6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
276KB

MD5
c9e1c460a4064c13a2e5ea07b2ff76e5

SHA1
bdacc9d743ecaf802d0696a8185b2816bda79815

SHA256
907c38f8aaa9f9281463b59fbe97adcb6109b76e1bc4241f98922cf3f948f76e

SHA512
c5ed57178080e2242c8f654147b5901547c20b30435e7c9b24600eb2865dfb2dbde2c5e8f6e950c9d62f5a5abd933ed7545761b6ef534b153319da417430631c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
89KB

MD5
ad9ad5758b6080dfb199476b81139fdf

SHA1
22592d736973632a702a9f00ff73cf30b28eb7b0

SHA256
08f3baa4f6943de4cbaf954209d4acad04bcd8c1f2418b71bd78238e3c77ce29

SHA512
64f640671cf5fc3331428a73d84936a2a91cfd9f39c6ffa5dc58488c18685a5c31c798b6bbce111798977cb7e25362121662cdafead6052dac91897f88753f62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5cadeb.TMP

Filesize
88KB

MD5
fe2e0f24dd78902c6d058e4145bd35cf

SHA1
c00c29172e7de620c39118ed514c363753db769a

SHA256
2c2a4992f320cdd00bc584096a6fc971a9df73e48086b2d2efd8fdda0d3dab5c

SHA512
e0d639138ca7da3201de9cf74d23537074dcfba5b94250b0cf0a0fad00d458a059a50cb71ddb9800c8c172b597185afbc78ecd939f78f0af64d5544ac6aef21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn40A4.tmp\InstallOptions.dll

Filesize
15KB

MD5
ece25721125d55aa26cdfe019c871476

SHA1
b87685ae482553823bf95e73e790de48dc0c11ba

SHA256
c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

SHA512
4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn40A4.tmp\StartMenu.dll

Filesize
7KB

MD5
d070f3275df715bf3708beff2c6c307d

SHA1
93d3725801e07303e9727c4369e19fd139e69023

SHA256
42dd4dda3249a94e32e20f76eaffae784a5475ed00c60ef0197c8a2c1ccd2fb7

SHA512
fcaf625dac4684dad33d12e3a942b38489ecc90649eee885d823a932e70db63c1edb8614b9fa8904d1710e9b820e82c5a37aeb8403cf21cf1e3692f76438664d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn40A4.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn40A4.tmp\UserInfo.dll

Filesize
4KB

MD5
2f69afa9d17a5245ec9b5bb03d56f63c

SHA1
e0a133222136b3d4783e965513a690c23826aec9

SHA256
e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0

SHA512
bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn40A4.tmp\ioSpecial.ini

Filesize
1KB

MD5
70329ccb0e68f96b226f359a6f120498

SHA1
67b8b169509330807104faa5f7e9413907a876a2

SHA256
66dd22a5f2d865708d1730262fefdf460d8291aad5a2c08fcca74ecf6900e280

SHA512
16d96a9eab1f1f909dadd803c4e481c6e7d65b69d78fdacc122c031a7648180a7f3e975b540740525545e4712cbefddee926fb5b3dc19de901906b58be219b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn40A4.tmp\ioSpecial.ini

Filesize
1KB

MD5
77841589c803c496c56edf72d87f60c8

SHA1
7483211e515205aa2d3198fdbe1ab9fed62ffccc

SHA256
53486ce15f41616d6bd9fa2276a92d871f02cb3f431da02805eb65894f0c335b

SHA512
0c4658d33fe46fb348945fb515ca3d9193c796d76909f2bc0b44e1275551350d97d1e66f820dacb5b04f3cf2ba8177fc8da612680b8e32a66384b23858ee5cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn40A4.tmp\ioSpecial.ini

Filesize
1KB

MD5
1e0c32704485721c4db7ac972928b972

SHA1
451bbc55924e09e10eef277d086ecd9aa49fb26f

SHA256
ad7fd97b746816395564c54e56640839e0500f508930fe97d57b416bff1a0de4

SHA512
18eb0593f49ae002c9539e01a3e2542d041cf5f866cb25856f62b519e94f9164322eb615f347953539ec9847a1ba979ecb0fec6a1650bbf276526a921d52d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn40A4.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Windows\Installer\MSI146E.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
05b867dfb79d063769305294694c0f90

SHA1
7fc8760fc26ef0b40e5d5be9cd3a5f2489f2ea3b

SHA256
3ac6641eb42f50eb099e8f517ff1c49bcd7dd638928319928893504bccf447fb

SHA512
42bef0603132da77c7f8ae7476b1d3f790568d5bd7ec5ad96275f0befa93953f74d60ad32404ffeebcbd0f85ffd8a6023229450224c9d7d7d756c00d80e57734

Download Submit
\??\Volume{8b429fc4-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ba8bfdde-4e15-4321-b6bc-3ff3fcabbba0}_OnDiskSnapshotProp

Filesize
6KB

MD5
a587a9963c74fe5b7578921f3a70ca7e

SHA1
cad888247e1bf34fcfb8308374074e7b7ddbd8b3

SHA256
cac10214bbda91532f632a54b5bf2590eb7959642c03b9ba4072f10d4b0ef3ca

SHA512
59a500ab204ad49f96eb999a6c5665d4a2c7f9adb85320a5e2d47ae3a619cc5a9b166db78110c2d6fb1af6dabe8168ad94a44fe1beaab5281655811c705dc189

Download Submit
\??\c:\PROGRA~1\NEFARI~1\VIRTUA~1\ViGEmBus.sys

Filesize
161KB

MD5
87fe350c6ffe8d60ce58dbc16a2d091e

SHA1
7e2727a31c54df2fe4fba73a6b0537afa5faf534

SHA256
8fb8402b7266fa9b9ea8841708317c8c25367b2947eeda9b6462c0e4801f05a4

SHA512
f892b87a8d45ddb14a99e736eff26f7257c492dade5754362acf4d2522927c337dd3d6ec4d47b0553681764e5cf15db61f8a96098889a7b5a56c052b53dced63

Download Submit
\??\c:\program files\nefarius software solutions\virtual gamepad emulation bus driver\ViGEmBus.cat

Filesize
10KB

MD5
5312064607460baaa4562aabc42b8922

SHA1
c8a0758e5ae7158acb0f6f111ad298fbc0b1a2ae

SHA256
58b8a1bf9160fd4310a183b3431580eda2bc0a5ecaac2e0fbd6399184ff02404

SHA512
dcfc68f09d339695aa3b8eea02a7adafc21473d259df9d6dd7cbb7d29fb8f3ff9b3184f8921d9f829c665b1447ebec7ce97729914fb7367bf6e07d9fd02d2aba

Download Submit
memory/1824-598-0x00007FF69EB90000-0x00007FF69FDEF000-memory.dmp

Filesize
18.4MB

Download
memory/1824-596-0x00007FF69EB90000-0x00007FF69FDEF000-memory.dmp

Filesize
18.4MB

Download
memory/1864-584-0x00007FF69EB90000-0x00007FF69FDEF000-memory.dmp

Filesize
18.4MB

Download
memory/1864-583-0x00007FF69EB90000-0x00007FF69FDEF000-memory.dmp

Filesize
18.4MB

Download
memory/1972-613-0x00007FF69EB90000-0x00007FF69FDEF000-memory.dmp

Filesize
18.4MB

Download
memory/1972-607-0x00007FF69EB90000-0x00007FF69FDEF000-memory.dmp

Filesize
18.4MB

Download
memory/2400-577-0x00007FF69EB90000-0x00007FF69FDEF000-memory.dmp

Filesize
18.4MB

Download
memory/2400-578-0x00007FF69EB90000-0x00007FF69FDEF000-memory.dmp

Filesize
18.4MB

Download
memory/2492-595-0x00007FF69EB90000-0x00007FF69FDEF000-memory.dmp

Filesize
18.4MB

Download
memory/2492-597-0x00007FF69EB90000-0x00007FF69FDEF000-memory.dmp

Filesize
18.4MB

Download
memory/2740-592-0x00007FF69EB90000-0x00007FF69FDEF000-memory.dmp

Filesize
18.4MB

Download
memory/2740-593-0x00007FF69EB90000-0x00007FF69FDEF000-memory.dmp

Filesize
18.4MB

Download
memory/2916-602-0x00007FF69EB90000-0x00007FF69FDEF000-memory.dmp

Filesize
18.4MB

Download
memory/2916-604-0x00007FF69EB90000-0x00007FF69FDEF000-memory.dmp

Filesize
18.4MB

Download
memory/2928-601-0x00007FF69EB90000-0x00007FF69FDEF000-memory.dmp

Filesize
18.4MB

Download
memory/2928-603-0x00007FF69EB90000-0x00007FF69FDEF000-memory.dmp

Filesize
18.4MB

Download
memory/3484-615-0x00007FF69EB90000-0x00007FF69FDEF000-memory.dmp

Filesize
18.4MB

Download
memory/3484-614-0x00007FF69EB90000-0x00007FF69FDEF000-memory.dmp

Filesize
18.4MB

Download
memory/4676-590-0x00007FF69EB90000-0x00007FF69FDEF000-memory.dmp

Filesize
18.4MB

Download
memory/4676-591-0x00007FF69EB90000-0x00007FF69FDEF000-memory.dmp

Filesize
18.4MB

Download