47113b285253a1ebce04527a31d734c0dfce5724e8d2643c6c1b822a940e7073

Analysis

max time kernel
500s
max time network
511s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2022 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Unigine_Heaven-2.1.msi
Size

230.2MB
MD5

16228f35edcf357c5a7d4442924d835d
SHA1

3d7b94a3734cdae85f98032b61668e743979c444
SHA256

47113b285253a1ebce04527a31d734c0dfce5724e8d2643c6c1b822a940e7073
SHA512

5c63e0eed7d69b5df392d1895be8c4a08fbebc1ce81dc3a55df52c7c72f83c298b526fa580ed98a214103a8e049041d8a09bdc91eaf876a725517c775c6749b7
SSDEEP

6291456:yxjSsaWlzBQfRwvtPdOpmyGWElh1MfQC5H7dinHdS8:Ed3QJutVOpmvWYsQC5HsnHd

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
4696	alredist.exe
2816	Unigine.exe
5004	Unigine.exe
1432	Unigine.exe
3152	Unigine.exe

Loads dropped DLL 64 IoCs

pid	Process
2816	Unigine.exe
2816	Unigine.exe
2816	Unigine.exe
2816	Unigine.exe
2816	Unigine.exe
2816	Unigine.exe
2816	Unigine.exe
2816	Unigine.exe
2816	Unigine.exe
2816	Unigine.exe
2816	Unigine.exe
2816	Unigine.exe
2816	Unigine.exe
2816	Unigine.exe
2816	Unigine.exe
2816	Unigine.exe
2816	Unigine.exe
2816	Unigine.exe
5004	Unigine.exe
5004	Unigine.exe
5004	Unigine.exe
5004	Unigine.exe
5004	Unigine.exe
5004	Unigine.exe
5004	Unigine.exe
5004	Unigine.exe
5004	Unigine.exe
5004	Unigine.exe
5004	Unigine.exe
5004	Unigine.exe
5004	Unigine.exe
5004	Unigine.exe
5004	Unigine.exe
5004	Unigine.exe
5004	Unigine.exe
5004	Unigine.exe
1432	Unigine.exe
1432	Unigine.exe
1432	Unigine.exe
1432	Unigine.exe
1432	Unigine.exe
1432	Unigine.exe
1432	Unigine.exe
1432	Unigine.exe
1432	Unigine.exe
1432	Unigine.exe
1432	Unigine.exe
1432	Unigine.exe
1432	Unigine.exe
1432	Unigine.exe
1432	Unigine.exe
1432	Unigine.exe
1432	Unigine.exe
1432	Unigine.exe
3152	Unigine.exe
3152	Unigine.exe
3152	Unigine.exe
3152	Unigine.exe
3152	Unigine.exe
3152	Unigine.exe
3152	Unigine.exe
3152	Unigine.exe
3152	Unigine.exe
3152	Unigine.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wrap_oal.new	alredist.exe
File created	C:\Windows\system32\OpenAL32.new	alredist.exe
File created	C:\Windows\system32\wrap_oal.new	alredist.exe
File opened for modification	C:\Windows\SysWOW64\tmp5043.tmp	alredist.exe
File opened for modification	C:\Windows\SysWOW64\tmp5044.tmp	alredist.exe
File created	C:\Windows\SysWOW64\OpenAL32.new	alredist.exe

Drops file in Program Files directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Unigine\Heaven\data\C:\Users\Admin\Unigine Heaven\shader_d3d11.cache	Unigine.exe
File created	C:\Program Files (x86)\Unigine\Heaven\Heaven_d3d11_tess_moderate.bat	msiexec.exe
File created	C:\Program Files (x86)\Unigine\Heaven\Heaven_d3d9.bat	msiexec.exe
File opened for modification	C:\Program Files (x86)\Unigine\Heaven\data\C:\Users\Admin\Unigine Heaven\shader_d3d11.cache	Unigine.exe
File created	C:\Program Files (x86)\Unigine\Heaven\data\C:\Users\Admin\Unigine Heaven\shader_d3d11.cache	Unigine.exe
File created	C:\Program Files (x86)\Unigine\Heaven\d3dx9_42.dll	msiexec.exe
File created	C:\Program Files (x86)\Unigine\Heaven\data\demos\heaven.zip	msiexec.exe
File created	C:\Program Files (x86)\Unigine\Heaven\msvcm90.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Unigine\Heaven\C:\Users\Admin\Unigine Heaven\shader_d3d11.cache	Unigine.exe
File opened for modification	C:\Program Files (x86)\Unigine\Heaven\data\C:\Users\Admin\Unigine Heaven\shader_d3d11.cache	Unigine.exe
File created	C:\Program Files (x86)\Unigine\Heaven\data\heaven_2.1.cfg	msiexec.exe
File created	C:\Program Files (x86)\Unigine\Heaven\Heaven_d3d11_tess_disabled.bat	msiexec.exe
File created	C:\Program Files (x86)\Unigine\Heaven\Heaven_d3d11_tess_normal.bat	msiexec.exe
File created	C:\Program Files (x86)\Unigine\Heaven\Heaven_gl_tess_extreme.bat	msiexec.exe
File created	C:\Program Files (x86)\Unigine\Heaven\Unigine.exe	msiexec.exe
File created	C:\Program Files (x86)\OpenAL\alredist.exe	alredist.exe
File created	C:\Program Files (x86)\Unigine\Heaven\Heaven_d3d11_tess_extreme.bat	msiexec.exe
File created	C:\Program Files (x86)\Unigine\Heaven\Heaven_gl_tess_normal.bat	msiexec.exe
File created	C:\Program Files (x86)\Unigine\Heaven\Heaven.exe	msiexec.exe
File created	C:\Program Files (x86)\Unigine\Heaven\Unigine_x86.dll	msiexec.exe
File created	C:\Program Files (x86)\Unigine\Heaven\html\utils.js	msiexec.exe
File created	C:\Program Files (x86)\Unigine\Heaven\d3dx10_42.dll	msiexec.exe
File created	C:\Program Files (x86)\Unigine\Heaven\Heaven_d3d10.bat	msiexec.exe
File created	C:\Program Files (x86)\Unigine\Heaven\Heaven_d3d11.bat	msiexec.exe
File created	C:\Program Files (x86)\Unigine\Heaven\html\background.jpg	msiexec.exe
File opened for modification	C:\Program Files (x86)\Unigine\Heaven\C:\Users\Admin\Unigine Heaven\shader_d3d11.cache	Unigine.exe
File created	C:\Program Files (x86)\Unigine\Heaven\data\scripts.ung	msiexec.exe
File created	C:\Program Files (x86)\Unigine\Heaven\html\styles.css	msiexec.exe
File created	C:\Program Files (x86)\Unigine\Heaven\unigine.xml	msiexec.exe
File created	C:\Program Files (x86)\Unigine\Heaven\C:\Users\Admin\Unigine Heaven\shader_d3d11.cache	Unigine.exe
File created	C:\Program Files (x86)\Unigine\Heaven\data\core.ung	msiexec.exe
File created	C:\Program Files (x86)\Unigine\Heaven\Heaven_gl_tess_disabled.bat	msiexec.exe
File created	C:\Program Files (x86)\Unigine\Heaven\redist\alredist.exe	msiexec.exe
File created	C:\Program Files (x86)\Unigine\Heaven\SHDocVw.dll	msiexec.exe
File created	C:\Program Files (x86)\Unigine\Heaven\html\run.gif	msiexec.exe
File created	C:\Program Files (x86)\Unigine\Heaven\msvcp90.dll	msiexec.exe
File created	C:\Program Files (x86)\Unigine\Heaven\msvcr90.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Unigine\Heaven\C:\Users\Admin\Unigine Heaven\shader_d3d11.cache	Unigine.exe
File created	C:\Program Files (x86)\Unigine\Heaven\AxSHDocVw.dll	msiexec.exe
File created	C:\Program Files (x86)\Unigine\Heaven\d3dcompiler_42.dll	msiexec.exe
File created	C:\Program Files (x86)\Unigine\Heaven\Heaven_gl_tess_moderate.bat	msiexec.exe
File created	C:\Program Files (x86)\Unigine\Heaven\Heaven_gl.bat	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e572d0d.msi	msiexec.exe
File created	C:\Windows\Installer\e572d0b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e572d0b.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{38468127-9E6F-4FC9-B5F7-42D4AD437D96}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI36B0.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4668	2816	WerFault.exe	97

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000789d96067ff55f5b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000789d96060000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900789d9606000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe

Modifies Internet Explorer settings 1 TTPs 16 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Unigine.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Unigine.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	Unigine.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Unigine.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Unigine.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Unigine.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Unigine.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Unigine.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	Unigine.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Unigine.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Unigine.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Unigine.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Unigine.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	Unigine.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Unigine.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	Unigine.exe

NTFS ADS 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Unigine\Heaven\data\C:\Users\Admin\Unigine Heaven\shader_d3d11.cache	Unigine.exe
File opened for modification	C:\Program Files (x86)\Unigine\Heaven\C:\Users\Admin\Unigine Heaven\shader_d3d11.cache	Unigine.exe
File opened for modification	C:\Program Files (x86)\Unigine\Heaven\data\C:\Users\Admin\Unigine Heaven\shader_d3d11.cache	Unigine.exe
File opened for modification	C:\Program Files (x86)\Unigine\Heaven\C:\Users\Admin\Unigine Heaven\shader_d3d11.cache	Unigine.exe
File opened for modification	C:\Program Files (x86)\Unigine\Heaven\data\C:\Users\Admin\Unigine Heaven\shader_d3d11.cache	Unigine.exe
File created	C:\Program Files (x86)\Unigine\Heaven\C:\Users\Admin\Unigine Heaven\shader_d3d11.cache	Unigine.exe
File created	C:\Program Files (x86)\Unigine\Heaven\data\C:\Users\Admin\Unigine Heaven\shader_d3d11.cache	Unigine.exe
File opened for modification	C:\Program Files (x86)\Unigine\Heaven\C:\Users\Admin\Unigine Heaven\shader_d3d11.cache	Unigine.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3076	msiexec.exe
3076	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5004	Unigine.exe
3152	Unigine.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4200	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4200	msiexec.exe
Token: SeSecurityPrivilege	3076	msiexec.exe
Token: SeCreateTokenPrivilege	4200	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4200	msiexec.exe
Token: SeLockMemoryPrivilege	4200	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4200	msiexec.exe
Token: SeMachineAccountPrivilege	4200	msiexec.exe
Token: SeTcbPrivilege	4200	msiexec.exe
Token: SeSecurityPrivilege	4200	msiexec.exe
Token: SeTakeOwnershipPrivilege	4200	msiexec.exe
Token: SeLoadDriverPrivilege	4200	msiexec.exe
Token: SeSystemProfilePrivilege	4200	msiexec.exe
Token: SeSystemtimePrivilege	4200	msiexec.exe
Token: SeProfSingleProcessPrivilege	4200	msiexec.exe
Token: SeIncBasePriorityPrivilege	4200	msiexec.exe
Token: SeCreatePagefilePrivilege	4200	msiexec.exe
Token: SeCreatePermanentPrivilege	4200	msiexec.exe
Token: SeBackupPrivilege	4200	msiexec.exe
Token: SeRestorePrivilege	4200	msiexec.exe
Token: SeShutdownPrivilege	4200	msiexec.exe
Token: SeDebugPrivilege	4200	msiexec.exe
Token: SeAuditPrivilege	4200	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4200	msiexec.exe
Token: SeChangeNotifyPrivilege	4200	msiexec.exe
Token: SeRemoteShutdownPrivilege	4200	msiexec.exe
Token: SeUndockPrivilege	4200	msiexec.exe
Token: SeSyncAgentPrivilege	4200	msiexec.exe
Token: SeEnableDelegationPrivilege	4200	msiexec.exe
Token: SeManageVolumePrivilege	4200	msiexec.exe
Token: SeImpersonatePrivilege	4200	msiexec.exe
Token: SeCreateGlobalPrivilege	4200	msiexec.exe
Token: SeBackupPrivilege	1876	vssvc.exe
Token: SeRestorePrivilege	1876	vssvc.exe
Token: SeAuditPrivilege	1876	vssvc.exe
Token: SeBackupPrivilege	3076	msiexec.exe
Token: SeRestorePrivilege	3076	msiexec.exe
Token: SeRestorePrivilege	3076	msiexec.exe
Token: SeTakeOwnershipPrivilege	3076	msiexec.exe
Token: SeRestorePrivilege	3076	msiexec.exe
Token: SeTakeOwnershipPrivilege	3076	msiexec.exe
Token: SeRestorePrivilege	3076	msiexec.exe
Token: SeTakeOwnershipPrivilege	3076	msiexec.exe
Token: SeRestorePrivilege	3076	msiexec.exe
Token: SeTakeOwnershipPrivilege	3076	msiexec.exe
Token: SeRestorePrivilege	3076	msiexec.exe
Token: SeTakeOwnershipPrivilege	3076	msiexec.exe
Token: SeRestorePrivilege	3076	msiexec.exe
Token: SeTakeOwnershipPrivilege	3076	msiexec.exe
Token: SeRestorePrivilege	3076	msiexec.exe
Token: SeTakeOwnershipPrivilege	3076	msiexec.exe
Token: SeRestorePrivilege	3076	msiexec.exe
Token: SeTakeOwnershipPrivilege	3076	msiexec.exe
Token: SeRestorePrivilege	3076	msiexec.exe
Token: SeTakeOwnershipPrivilege	3076	msiexec.exe
Token: SeRestorePrivilege	3076	msiexec.exe
Token: SeTakeOwnershipPrivilege	3076	msiexec.exe
Token: SeRestorePrivilege	3076	msiexec.exe
Token: SeTakeOwnershipPrivilege	3076	msiexec.exe
Token: SeRestorePrivilege	3076	msiexec.exe
Token: SeTakeOwnershipPrivilege	3076	msiexec.exe
Token: SeRestorePrivilege	3076	msiexec.exe
Token: SeTakeOwnershipPrivilege	3076	msiexec.exe
Token: SeRestorePrivilege	3076	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4200	msiexec.exe
4200	msiexec.exe
5004	Unigine.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
2816	Unigine.exe
2816	Unigine.exe
2816	Unigine.exe
2816	Unigine.exe
5004	Unigine.exe
5004	Unigine.exe
5004	Unigine.exe
5004	Unigine.exe
5004	Unigine.exe
5004	Unigine.exe
5004	Unigine.exe
5004	Unigine.exe
5004	Unigine.exe
5004	Unigine.exe
1432	Unigine.exe
1432	Unigine.exe
1432	Unigine.exe
1432	Unigine.exe
3152	Unigine.exe
3152	Unigine.exe
3152	Unigine.exe
3152	Unigine.exe
3152	Unigine.exe
3152	Unigine.exe
3152	Unigine.exe
3152	Unigine.exe
3152	Unigine.exe
3152	Unigine.exe
3152	Unigine.exe
3152	Unigine.exe
3152	Unigine.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 3408	3076	msiexec.exe	92
PID 3076 wrote to memory of 3408	3076	msiexec.exe	92
PID 3076 wrote to memory of 4696	3076	msiexec.exe	95
PID 3076 wrote to memory of 4696	3076	msiexec.exe	95
PID 3076 wrote to memory of 4696	3076	msiexec.exe	95
PID 1432 wrote to memory of 4940	1432	Unigine.exe	106
PID 1432 wrote to memory of 4940	1432	Unigine.exe	106
PID 1432 wrote to memory of 4940	1432	Unigine.exe	106

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Unigine_Heaven-2.1.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4200

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3408
- C:\Program Files (x86)\Unigine\Heaven\redist\alredist.exe
  "C:\Program Files (x86)\Unigine\Heaven\redist\alredist.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  PID:4696

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Program Files (x86)\Unigine\Heaven\Unigine.exe
"C:\Program Files (x86)\Unigine\Heaven\Unigine.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 3192
  2⤵
  - Program crash
  PID:4668

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x380 0x4b0
1⤵
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2816 -ip 2816
1⤵
PID:4940

C:\Program Files (x86)\Unigine\Heaven\Unigine.exe
"C:\Program Files (x86)\Unigine\Heaven\Unigine.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5004

C:\Program Files (x86)\Unigine\Heaven\Unigine.exe
"C:\Program Files (x86)\Unigine\Heaven\Unigine.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 2836
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:4940

C:\Program Files (x86)\Unigine\Heaven\Unigine.exe
"C:\Program Files (x86)\Unigine\Heaven\Unigine.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Unigine\Heaven\AxSHDocVw.dll

Filesize
48KB

MD5
fd432891d69a11ba8a03b4edc5805edf

SHA1
0d94848bee3f2b08bb031d24bf80908f947d9ded

SHA256
5abfc7cb8e9cb2e16bce881244c56b16f601d60c786cef113e7a0a9f0d05ab42

SHA512
85e4f4596f3afe58e2f507a0bd50f5f49e661f20b44b85c08bf3f1ba8373b67d2dbad15d50be16533e292847b41225e5d4c11b655bba38b9803709bc4bb088d1

Download Submit
C:\Program Files (x86)\Unigine\Heaven\AxSHDocVw.dll

Filesize
48KB

MD5
fd432891d69a11ba8a03b4edc5805edf

SHA1
0d94848bee3f2b08bb031d24bf80908f947d9ded

SHA256
5abfc7cb8e9cb2e16bce881244c56b16f601d60c786cef113e7a0a9f0d05ab42

SHA512
85e4f4596f3afe58e2f507a0bd50f5f49e661f20b44b85c08bf3f1ba8373b67d2dbad15d50be16533e292847b41225e5d4c11b655bba38b9803709bc4bb088d1

Download Submit
C:\Program Files (x86)\Unigine\Heaven\AxSHDocVw.dll

Filesize
48KB

MD5
fd432891d69a11ba8a03b4edc5805edf

SHA1
0d94848bee3f2b08bb031d24bf80908f947d9ded

SHA256
5abfc7cb8e9cb2e16bce881244c56b16f601d60c786cef113e7a0a9f0d05ab42

SHA512
85e4f4596f3afe58e2f507a0bd50f5f49e661f20b44b85c08bf3f1ba8373b67d2dbad15d50be16533e292847b41225e5d4c11b655bba38b9803709bc4bb088d1

Download Submit
C:\Program Files (x86)\Unigine\Heaven\AxSHDocVw.dll

Filesize
48KB

MD5
fd432891d69a11ba8a03b4edc5805edf

SHA1
0d94848bee3f2b08bb031d24bf80908f947d9ded

SHA256
5abfc7cb8e9cb2e16bce881244c56b16f601d60c786cef113e7a0a9f0d05ab42

SHA512
85e4f4596f3afe58e2f507a0bd50f5f49e661f20b44b85c08bf3f1ba8373b67d2dbad15d50be16533e292847b41225e5d4c11b655bba38b9803709bc4bb088d1

Download Submit
C:\Program Files (x86)\Unigine\Heaven\AxSHDocVw.dll

Filesize
48KB

MD5
fd432891d69a11ba8a03b4edc5805edf

SHA1
0d94848bee3f2b08bb031d24bf80908f947d9ded

SHA256
5abfc7cb8e9cb2e16bce881244c56b16f601d60c786cef113e7a0a9f0d05ab42

SHA512
85e4f4596f3afe58e2f507a0bd50f5f49e661f20b44b85c08bf3f1ba8373b67d2dbad15d50be16533e292847b41225e5d4c11b655bba38b9803709bc4bb088d1

Download Submit
C:\Program Files (x86)\Unigine\Heaven\AxSHDocVw.dll

Filesize
48KB

MD5
fd432891d69a11ba8a03b4edc5805edf

SHA1
0d94848bee3f2b08bb031d24bf80908f947d9ded

SHA256
5abfc7cb8e9cb2e16bce881244c56b16f601d60c786cef113e7a0a9f0d05ab42

SHA512
85e4f4596f3afe58e2f507a0bd50f5f49e661f20b44b85c08bf3f1ba8373b67d2dbad15d50be16533e292847b41225e5d4c11b655bba38b9803709bc4bb088d1

Download Submit
C:\Program Files (x86)\Unigine\Heaven\AxSHDocVw.dll

Filesize
48KB

MD5
fd432891d69a11ba8a03b4edc5805edf

SHA1
0d94848bee3f2b08bb031d24bf80908f947d9ded

SHA256
5abfc7cb8e9cb2e16bce881244c56b16f601d60c786cef113e7a0a9f0d05ab42

SHA512
85e4f4596f3afe58e2f507a0bd50f5f49e661f20b44b85c08bf3f1ba8373b67d2dbad15d50be16533e292847b41225e5d4c11b655bba38b9803709bc4bb088d1

Download Submit
C:\Program Files (x86)\Unigine\Heaven\AxSHDocVw.dll

Filesize
48KB

MD5
fd432891d69a11ba8a03b4edc5805edf

SHA1
0d94848bee3f2b08bb031d24bf80908f947d9ded

SHA256
5abfc7cb8e9cb2e16bce881244c56b16f601d60c786cef113e7a0a9f0d05ab42

SHA512
85e4f4596f3afe58e2f507a0bd50f5f49e661f20b44b85c08bf3f1ba8373b67d2dbad15d50be16533e292847b41225e5d4c11b655bba38b9803709bc4bb088d1

Download Submit
C:\Program Files (x86)\Unigine\Heaven\AxSHDocVw.dll

Filesize
48KB

MD5
fd432891d69a11ba8a03b4edc5805edf

SHA1
0d94848bee3f2b08bb031d24bf80908f947d9ded

SHA256
5abfc7cb8e9cb2e16bce881244c56b16f601d60c786cef113e7a0a9f0d05ab42

SHA512
85e4f4596f3afe58e2f507a0bd50f5f49e661f20b44b85c08bf3f1ba8373b67d2dbad15d50be16533e292847b41225e5d4c11b655bba38b9803709bc4bb088d1

Download Submit
C:\Program Files (x86)\Unigine\Heaven\SHDocVw.dll

Filesize
128KB

MD5
ad219aed0b029ddf8c8075af0ead73a0

SHA1
7cf265a03cca48eb38d26207593db5b9fcfb1cf6

SHA256
ba21545facc78370821711375d4d1b2dfce501ece70f299dad33dd88f1c59999

SHA512
b6ee076b3c9f893baa5f077d4ef8a3865ece6a38e4e5f2209c7d42892c92cfb1c79a8644ec81aea9373e5aa4c4d36e00afe07615f2bf412467be12faff530481

Download Submit
C:\Program Files (x86)\Unigine\Heaven\SHDocVw.dll

Filesize
128KB

MD5
ad219aed0b029ddf8c8075af0ead73a0

SHA1
7cf265a03cca48eb38d26207593db5b9fcfb1cf6

SHA256
ba21545facc78370821711375d4d1b2dfce501ece70f299dad33dd88f1c59999

SHA512
b6ee076b3c9f893baa5f077d4ef8a3865ece6a38e4e5f2209c7d42892c92cfb1c79a8644ec81aea9373e5aa4c4d36e00afe07615f2bf412467be12faff530481

Download Submit
C:\Program Files (x86)\Unigine\Heaven\SHDocVw.dll

Filesize
128KB

MD5
ad219aed0b029ddf8c8075af0ead73a0

SHA1
7cf265a03cca48eb38d26207593db5b9fcfb1cf6

SHA256
ba21545facc78370821711375d4d1b2dfce501ece70f299dad33dd88f1c59999

SHA512
b6ee076b3c9f893baa5f077d4ef8a3865ece6a38e4e5f2209c7d42892c92cfb1c79a8644ec81aea9373e5aa4c4d36e00afe07615f2bf412467be12faff530481

Download Submit
C:\Program Files (x86)\Unigine\Heaven\SHDocVw.dll

Filesize
128KB

MD5
ad219aed0b029ddf8c8075af0ead73a0

SHA1
7cf265a03cca48eb38d26207593db5b9fcfb1cf6

SHA256
ba21545facc78370821711375d4d1b2dfce501ece70f299dad33dd88f1c59999

SHA512
b6ee076b3c9f893baa5f077d4ef8a3865ece6a38e4e5f2209c7d42892c92cfb1c79a8644ec81aea9373e5aa4c4d36e00afe07615f2bf412467be12faff530481

Download Submit
C:\Program Files (x86)\Unigine\Heaven\SHDocVw.dll

Filesize
128KB

MD5
ad219aed0b029ddf8c8075af0ead73a0

SHA1
7cf265a03cca48eb38d26207593db5b9fcfb1cf6

SHA256
ba21545facc78370821711375d4d1b2dfce501ece70f299dad33dd88f1c59999

SHA512
b6ee076b3c9f893baa5f077d4ef8a3865ece6a38e4e5f2209c7d42892c92cfb1c79a8644ec81aea9373e5aa4c4d36e00afe07615f2bf412467be12faff530481

Download Submit
C:\Program Files (x86)\Unigine\Heaven\SHDocVw.dll

Filesize
128KB

MD5
ad219aed0b029ddf8c8075af0ead73a0

SHA1
7cf265a03cca48eb38d26207593db5b9fcfb1cf6

SHA256
ba21545facc78370821711375d4d1b2dfce501ece70f299dad33dd88f1c59999

SHA512
b6ee076b3c9f893baa5f077d4ef8a3865ece6a38e4e5f2209c7d42892c92cfb1c79a8644ec81aea9373e5aa4c4d36e00afe07615f2bf412467be12faff530481

Download Submit
C:\Program Files (x86)\Unigine\Heaven\SHDocVw.dll

Filesize
128KB

MD5
ad219aed0b029ddf8c8075af0ead73a0

SHA1
7cf265a03cca48eb38d26207593db5b9fcfb1cf6

SHA256
ba21545facc78370821711375d4d1b2dfce501ece70f299dad33dd88f1c59999

SHA512
b6ee076b3c9f893baa5f077d4ef8a3865ece6a38e4e5f2209c7d42892c92cfb1c79a8644ec81aea9373e5aa4c4d36e00afe07615f2bf412467be12faff530481

Download Submit
C:\Program Files (x86)\Unigine\Heaven\SHDocVw.dll

Filesize
128KB

MD5
ad219aed0b029ddf8c8075af0ead73a0

SHA1
7cf265a03cca48eb38d26207593db5b9fcfb1cf6

SHA256
ba21545facc78370821711375d4d1b2dfce501ece70f299dad33dd88f1c59999

SHA512
b6ee076b3c9f893baa5f077d4ef8a3865ece6a38e4e5f2209c7d42892c92cfb1c79a8644ec81aea9373e5aa4c4d36e00afe07615f2bf412467be12faff530481

Download Submit
C:\Program Files (x86)\Unigine\Heaven\SHDocVw.dll

Filesize
128KB

MD5
ad219aed0b029ddf8c8075af0ead73a0

SHA1
7cf265a03cca48eb38d26207593db5b9fcfb1cf6

SHA256
ba21545facc78370821711375d4d1b2dfce501ece70f299dad33dd88f1c59999

SHA512
b6ee076b3c9f893baa5f077d4ef8a3865ece6a38e4e5f2209c7d42892c92cfb1c79a8644ec81aea9373e5aa4c4d36e00afe07615f2bf412467be12faff530481

Download Submit
C:\Program Files (x86)\Unigine\Heaven\Unigine.exe

Filesize
105KB

MD5
10fa068b89a4ae8317047b12625fa2e9

SHA1
cfb8a2b5ed1ddcb1bdba59307d19f77fe2bbcffd

SHA256
3939fdff437ffddd51d190f9821dfd2725049268f2fca9098610cba5083a6e80

SHA512
a498cb2b5de8b9c0fcaa5daf08031d3efb62e70460c4c657be1dc11df8ef7b8552fbd766b40ffa173d603d3163d93f99fcff8413682cbe9d9ce8244a771aec1f

Download Submit
C:\Program Files (x86)\Unigine\Heaven\Unigine.exe

Filesize
105KB

MD5
10fa068b89a4ae8317047b12625fa2e9

SHA1
cfb8a2b5ed1ddcb1bdba59307d19f77fe2bbcffd

SHA256
3939fdff437ffddd51d190f9821dfd2725049268f2fca9098610cba5083a6e80

SHA512
a498cb2b5de8b9c0fcaa5daf08031d3efb62e70460c4c657be1dc11df8ef7b8552fbd766b40ffa173d603d3163d93f99fcff8413682cbe9d9ce8244a771aec1f

Download Submit
C:\Program Files (x86)\Unigine\Heaven\Unigine.exe

Filesize
105KB

MD5
10fa068b89a4ae8317047b12625fa2e9

SHA1
cfb8a2b5ed1ddcb1bdba59307d19f77fe2bbcffd

SHA256
3939fdff437ffddd51d190f9821dfd2725049268f2fca9098610cba5083a6e80

SHA512
a498cb2b5de8b9c0fcaa5daf08031d3efb62e70460c4c657be1dc11df8ef7b8552fbd766b40ffa173d603d3163d93f99fcff8413682cbe9d9ce8244a771aec1f

Download Submit
C:\Program Files (x86)\Unigine\Heaven\Unigine.exe

Filesize
105KB

MD5
10fa068b89a4ae8317047b12625fa2e9

SHA1
cfb8a2b5ed1ddcb1bdba59307d19f77fe2bbcffd

SHA256
3939fdff437ffddd51d190f9821dfd2725049268f2fca9098610cba5083a6e80

SHA512
a498cb2b5de8b9c0fcaa5daf08031d3efb62e70460c4c657be1dc11df8ef7b8552fbd766b40ffa173d603d3163d93f99fcff8413682cbe9d9ce8244a771aec1f

Download Submit
C:\Program Files (x86)\Unigine\Heaven\Unigine_x86.dll

Filesize
5.1MB

MD5
1afadf607ddb01568e0d597a6b308c82

SHA1
830ab6c100f632f0f407087e56295cf37df5f831

SHA256
d0a9f66b1c8cebba0b0e558e2c98947ed31b7b850360b48552e1f7606b693236

SHA512
5e5befb4dd2772e88fea744ad65ea242fc8aa695b05f45971a6ecbf52e3fbcb665bef347057ac432c65433ddebe534c903991e459ddcf242a5775eda9c87d414

Download Submit
C:\Program Files (x86)\Unigine\Heaven\Unigine_x86.dll

Filesize
5.1MB

MD5
1afadf607ddb01568e0d597a6b308c82

SHA1
830ab6c100f632f0f407087e56295cf37df5f831

SHA256
d0a9f66b1c8cebba0b0e558e2c98947ed31b7b850360b48552e1f7606b693236

SHA512
5e5befb4dd2772e88fea744ad65ea242fc8aa695b05f45971a6ecbf52e3fbcb665bef347057ac432c65433ddebe534c903991e459ddcf242a5775eda9c87d414

Download Submit
C:\Program Files (x86)\Unigine\Heaven\Unigine_x86.dll

Filesize
5.1MB

MD5
1afadf607ddb01568e0d597a6b308c82

SHA1
830ab6c100f632f0f407087e56295cf37df5f831

SHA256
d0a9f66b1c8cebba0b0e558e2c98947ed31b7b850360b48552e1f7606b693236

SHA512
5e5befb4dd2772e88fea744ad65ea242fc8aa695b05f45971a6ecbf52e3fbcb665bef347057ac432c65433ddebe534c903991e459ddcf242a5775eda9c87d414

Download Submit
C:\Program Files (x86)\Unigine\Heaven\Unigine_x86.dll

Filesize
5.1MB

MD5
1afadf607ddb01568e0d597a6b308c82

SHA1
830ab6c100f632f0f407087e56295cf37df5f831

SHA256
d0a9f66b1c8cebba0b0e558e2c98947ed31b7b850360b48552e1f7606b693236

SHA512
5e5befb4dd2772e88fea744ad65ea242fc8aa695b05f45971a6ecbf52e3fbcb665bef347057ac432c65433ddebe534c903991e459ddcf242a5775eda9c87d414

Download Submit
C:\Program Files (x86)\Unigine\Heaven\d3dcompiler_42.dll

Filesize
1.9MB

MD5
b33b21db610116262d906305ce65c354

SHA1
38eef8d8917351ee9bdff2cc4fbfaefaa16b8231

SHA256
6c976311406c23aa71018d274da0ecdef43b6e3a3b0b01e941a5e8e4e974386c

SHA512
7049726ccbba90d06b3a56e1dbde8196935d4681b5548248cd3e6a8e38183c268152ba2b07eb90823bbe327c02ec946c59abe3562b59e29d9bcff8fe90e0adcc

Download Submit
C:\Program Files (x86)\Unigine\Heaven\d3dcompiler_42.dll

Filesize
1.9MB

MD5
b33b21db610116262d906305ce65c354

SHA1
38eef8d8917351ee9bdff2cc4fbfaefaa16b8231

SHA256
6c976311406c23aa71018d274da0ecdef43b6e3a3b0b01e941a5e8e4e974386c

SHA512
7049726ccbba90d06b3a56e1dbde8196935d4681b5548248cd3e6a8e38183c268152ba2b07eb90823bbe327c02ec946c59abe3562b59e29d9bcff8fe90e0adcc

Download Submit
C:\Program Files (x86)\Unigine\Heaven\d3dcompiler_42.dll

Filesize
1.9MB

MD5
b33b21db610116262d906305ce65c354

SHA1
38eef8d8917351ee9bdff2cc4fbfaefaa16b8231

SHA256
6c976311406c23aa71018d274da0ecdef43b6e3a3b0b01e941a5e8e4e974386c

SHA512
7049726ccbba90d06b3a56e1dbde8196935d4681b5548248cd3e6a8e38183c268152ba2b07eb90823bbe327c02ec946c59abe3562b59e29d9bcff8fe90e0adcc

Download Submit
C:\Program Files (x86)\Unigine\Heaven\data\core.ung

Filesize
3.4MB

MD5
a1bd6b9b1dd309f0cfd53505e3ddd1f9

SHA1
8f9bac05d12e7c353249f742d6f7983b83e1e61b

SHA256
751f891e19c87cb102eed68b9be6fb9e83595e9804b3e276df87611c4fe5a983

SHA512
780ea971e6cb6166b958483fe7310b0ca3046b2b80e1fba85cac171d93c08ae57cfac045625afd88b1073b1be4972ec573fb2ec7e74fcda75e8803b9968f43eb

Download Submit
C:\Program Files (x86)\Unigine\Heaven\data\demos\heaven.zip

Filesize
219.5MB

MD5
f1dede01e7b39eacbe3ba48c8f0a5947

SHA1
314bc2d55e0e86600fc97f087e33640da628f11a

SHA256
116019664e5552c6080dcee3c7fa0a4cee8dcb424161202e30bbf6f1e801e6b4

SHA512
5ae32010e251b020f35e2ee53deecb4f90cb1af6d5d2075f01cdf2b8b9f0011d57a19a525a3718c05594e5ce95b9639f321b2cc0e415a45d3b61c5879be86efc

Download Submit
C:\Program Files (x86)\Unigine\Heaven\data\scripts.ung

Filesize
116KB

MD5
8e7fe8ab72b17ce29bc6b58ec1418c71

SHA1
75e266ae24057c5306917069fa1a644a36fc2d20

SHA256
fdfc17b8312cebee176eca10b460822b8b0c531e995d3967fafd4978f8724fd3

SHA512
fb4993402735b78b14374a9b1b3e487010db34fc03b33ecdd536a276965c1664efae81f1d6a75fa3ac3c50b5050e15a452ea39674da3c2fde6b52cb257ba142d

Download Submit
C:\Program Files (x86)\Unigine\Heaven\html\background.jpg

Filesize
154KB

MD5
091e53a432b71ebbf7e8b30708f8c9ac

SHA1
00b10fd82ee0fe4198a62bdcebdf73ea265f1cef

SHA256
d677a271456448cc5dd7e2048fc77ea085c9ccd167569915df3e80d75187f6d5

SHA512
a77aae526e23a95212b5aac519c49fff5a6a94620893bbec0fe19460e7fbae26147a96a41d4e1b74296df60276ae65eb582146012716e48b35eff284362f592a

Download Submit
C:\Program Files (x86)\Unigine\Heaven\html\run.gif

Filesize
1KB

MD5
4a0e7e3ef0c5767784a92e0fa4426d6d

SHA1
7c720d73ad1e7f8575660c8e8b66ff4a829a2eb7

SHA256
c4bb9a51c39b0c17cc25e147d75449b60629e753839f00c68a9e916769e667b2

SHA512
2b0eb012750dbb3fc43f4aaf3dddedecc5f4496921158a1365e78a1f316fa917c68baee2fa444f901e73567227885aae768e0933d3058c92d626af40550ec5b9

Download Submit
C:\Program Files (x86)\Unigine\Heaven\html\styles.css

Filesize
815B

MD5
e7575c5cd0fd22689bace148cac0dac9

SHA1
c4dd41a622f84d0f01f675ba016878c388bcf4ed

SHA256
f92f0b59f28d40287698128a18ba95b50b1d9b69b1f5bf557883f3b0ab7f1b29

SHA512
66f9c5fd3f4b5e37f9c022796bc02b22fc55df5ab6bc5cac71a0210b56173d0b6f2a2c07181ab20be8c16719bf40c8ab6a56b6259c732c0adc536927f72e4da2

Download Submit
C:\Program Files (x86)\Unigine\Heaven\html\utils.js

Filesize
2KB

MD5
ff6fa679d609b6be1c48887c6ade0312

SHA1
9c24ace61fa9eefd9d82e7acf8ee9e8958697bd6

SHA256
1f544eae81afebd958210efe4539773e679977189cd91b542dd365a6ca42aebc

SHA512
0b89cdb3d5ad910e2eb30d045b991561ecd14b2d572a85a1409398f9078340acd0803b5b48865b21244d81a53ef37544ab45276b58016112c71c3a93dcca9d88

Download Submit
C:\Program Files (x86)\Unigine\Heaven\msvcm90.dll

Filesize
219KB

MD5
4a8bc195abdc93f0db5dab7f5093c52f

SHA1
b55a206fc91ecc3adeda65d286522aa69f04ac88

SHA256
b371af3ce6cb5d0b411919a188d5274df74d5ee49f6dd7b1ccb5a31466121a18

SHA512
197c12825efa2747afd10fafe3e198c1156ed20d75bad07984caa83447d0c7d498ef67cee11004232ca5d4dbbb9ae9d43bfd073002d3d0d8385476876ef48a94

Download Submit
C:\Program Files (x86)\Unigine\Heaven\msvcm90.dll

Filesize
219KB

MD5
4a8bc195abdc93f0db5dab7f5093c52f

SHA1
b55a206fc91ecc3adeda65d286522aa69f04ac88

SHA256
b371af3ce6cb5d0b411919a188d5274df74d5ee49f6dd7b1ccb5a31466121a18

SHA512
197c12825efa2747afd10fafe3e198c1156ed20d75bad07984caa83447d0c7d498ef67cee11004232ca5d4dbbb9ae9d43bfd073002d3d0d8385476876ef48a94

Download Submit
C:\Program Files (x86)\Unigine\Heaven\msvcm90.dll

Filesize
219KB

MD5
4a8bc195abdc93f0db5dab7f5093c52f

SHA1
b55a206fc91ecc3adeda65d286522aa69f04ac88

SHA256
b371af3ce6cb5d0b411919a188d5274df74d5ee49f6dd7b1ccb5a31466121a18

SHA512
197c12825efa2747afd10fafe3e198c1156ed20d75bad07984caa83447d0c7d498ef67cee11004232ca5d4dbbb9ae9d43bfd073002d3d0d8385476876ef48a94

Download Submit
C:\Program Files (x86)\Unigine\Heaven\msvcm90.dll

Filesize
219KB

MD5
4a8bc195abdc93f0db5dab7f5093c52f

SHA1
b55a206fc91ecc3adeda65d286522aa69f04ac88

SHA256
b371af3ce6cb5d0b411919a188d5274df74d5ee49f6dd7b1ccb5a31466121a18

SHA512
197c12825efa2747afd10fafe3e198c1156ed20d75bad07984caa83447d0c7d498ef67cee11004232ca5d4dbbb9ae9d43bfd073002d3d0d8385476876ef48a94

Download Submit
C:\Program Files (x86)\Unigine\Heaven\msvcm90.dll

Filesize
219KB

MD5
4a8bc195abdc93f0db5dab7f5093c52f

SHA1
b55a206fc91ecc3adeda65d286522aa69f04ac88

SHA256
b371af3ce6cb5d0b411919a188d5274df74d5ee49f6dd7b1ccb5a31466121a18

SHA512
197c12825efa2747afd10fafe3e198c1156ed20d75bad07984caa83447d0c7d498ef67cee11004232ca5d4dbbb9ae9d43bfd073002d3d0d8385476876ef48a94

Download Submit
C:\Program Files (x86)\Unigine\Heaven\msvcm90.dll

Filesize
219KB

MD5
4a8bc195abdc93f0db5dab7f5093c52f

SHA1
b55a206fc91ecc3adeda65d286522aa69f04ac88

SHA256
b371af3ce6cb5d0b411919a188d5274df74d5ee49f6dd7b1ccb5a31466121a18

SHA512
197c12825efa2747afd10fafe3e198c1156ed20d75bad07984caa83447d0c7d498ef67cee11004232ca5d4dbbb9ae9d43bfd073002d3d0d8385476876ef48a94

Download Submit
C:\Program Files (x86)\Unigine\Heaven\redist\alredist.exe

Filesize
790KB

MD5
694f54bd227916b89fc3eb1db53f0685

SHA1
21fdc367291bbef14dac27925cae698d3928eead

SHA256
b8f39714d41e009f75efb183c37100f2cbabb71784bbd243be881ac5b42d86fd

SHA512
55bc0de75a7f27f11eb8f4ee8c9934dfe1acd044d8b7b2151c506bdcbead3ab179df7023f699c9139c77541bbc4b1c0657e93c34a6bc4309b665c6cb7636a7e5

Download Submit
C:\Program Files (x86)\Unigine\Heaven\redist\alredist.exe

Filesize
790KB

MD5
694f54bd227916b89fc3eb1db53f0685

SHA1
21fdc367291bbef14dac27925cae698d3928eead

SHA256
b8f39714d41e009f75efb183c37100f2cbabb71784bbd243be881ac5b42d86fd

SHA512
55bc0de75a7f27f11eb8f4ee8c9934dfe1acd044d8b7b2151c506bdcbead3ab179df7023f699c9139c77541bbc4b1c0657e93c34a6bc4309b665c6cb7636a7e5

Download Submit
C:\Program Files (x86)\Unigine\Heaven\unigine.xml

Filesize
5KB

MD5
66dc6d9516890e4256444cac7e85aba5

SHA1
b4e00e6f1e049a03e539204dbc075d236d74b106

SHA256
a39a0dfd24e8c5015a2a6644624ab9e9ff256daa2a2975739edc9731cb7cf8e1

SHA512
ea7e95e19fa1adad86ab297eca55da13dbdae8b3b055df82730e3a04f1b3c188f10d14a3e70b795639e6d3999698b5e69ab911d3fdc53f446999198c065a490f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Unigine.exe.log

Filesize
580B

MD5
4388594c6ca6694c32166124d7746cf3

SHA1
f516de3ef0c25d57cfa14c5ec746b2e012798ac0

SHA256
cc2ced8a326a914db5f549bcd37554847bc6b139bee6c8008eb20b4b48282e6a

SHA512
125acd10c5e00d353ee600ea52f3a7e58f1dcad3502c16139a2ec674b76ddd0d3164b5a86bb04cbcd97cb5309e604db245ebf7078442cd35a97249352f612f73

Download Submit
C:\Users\Admin\Unigine Heaven\log.html

Filesize
1KB

MD5
157287c3994167a1eb6049179a18d30b

SHA1
c9cb7f0f95284a6ea32e7f58391196bea47b0280

SHA256
ccf32d7ed34f523ae6e9a24246d9057e1a915ab7ae0b5aead120412d41c81726

SHA512
66c422d0fcefe46011a3dcfbeb0664f51e9ffa77cac32ee576e2a18ccb57f613256af0810eaae1f634cccacfe349a1a450a4fd2da606c9a39dabe7635acc6f65

Download Submit
C:\Users\Admin\Unigine Heaven\shader_d3d11.cache

Filesize
195KB

MD5
f2132379697adcc9eec4a5cad590002c

SHA1
862fa21f2b9f1631a2c7efe31af4929cc9387fc9

SHA256
92a00d329b0c60b2ae9577d16429b03d62fe65befa5f7a933ab2656335beed35

SHA512
3698ff7b22974cb7493febe5e8a319d653d79f42121e88b10b58606ba60254e685c9ed2fced516eea9f0d7fbf6d76ca381926f79f8c39ba99181c50101ed8077

Download Submit
C:\Windows\SysWOW64\OpenAL32.dll

Filesize
106KB

MD5
235355a8dd26903e75d5e812ecf50e53

SHA1
8316319341a0f9054e19e4a7b21df3dc49386fee

SHA256
1797d150a2e23af4f390f5c33eb598c6f58d0454011d74941f5316add900bbdd

SHA512
5beb9343028790f993d0acb1007fd112b7e2ef6f9fbedfdb62b0140d2bbadf3b6368417ea19edb0bc8674d19418e5784fef4430ce1c329de8e83c304706d39ac

Download Submit
C:\Windows\SysWOW64\OpenAL32.dll

Filesize
106KB

MD5
235355a8dd26903e75d5e812ecf50e53

SHA1
8316319341a0f9054e19e4a7b21df3dc49386fee

SHA256
1797d150a2e23af4f390f5c33eb598c6f58d0454011d74941f5316add900bbdd

SHA512
5beb9343028790f993d0acb1007fd112b7e2ef6f9fbedfdb62b0140d2bbadf3b6368417ea19edb0bc8674d19418e5784fef4430ce1c329de8e83c304706d39ac

Download Submit
C:\Windows\SysWOW64\OpenAL32.dll

Filesize
106KB

MD5
235355a8dd26903e75d5e812ecf50e53

SHA1
8316319341a0f9054e19e4a7b21df3dc49386fee

SHA256
1797d150a2e23af4f390f5c33eb598c6f58d0454011d74941f5316add900bbdd

SHA512
5beb9343028790f993d0acb1007fd112b7e2ef6f9fbedfdb62b0140d2bbadf3b6368417ea19edb0bc8674d19418e5784fef4430ce1c329de8e83c304706d39ac

Download Submit
C:\Windows\SysWOW64\OpenAL32.dll

Filesize
106KB

MD5
235355a8dd26903e75d5e812ecf50e53

SHA1
8316319341a0f9054e19e4a7b21df3dc49386fee

SHA256
1797d150a2e23af4f390f5c33eb598c6f58d0454011d74941f5316add900bbdd

SHA512
5beb9343028790f993d0acb1007fd112b7e2ef6f9fbedfdb62b0140d2bbadf3b6368417ea19edb0bc8674d19418e5784fef4430ce1c329de8e83c304706d39ac

Download Submit
C:\Windows\SysWOW64\openal32.dll

Filesize
106KB

MD5
235355a8dd26903e75d5e812ecf50e53

SHA1
8316319341a0f9054e19e4a7b21df3dc49386fee

SHA256
1797d150a2e23af4f390f5c33eb598c6f58d0454011d74941f5316add900bbdd

SHA512
5beb9343028790f993d0acb1007fd112b7e2ef6f9fbedfdb62b0140d2bbadf3b6368417ea19edb0bc8674d19418e5784fef4430ce1c329de8e83c304706d39ac

Download Submit
C:\Windows\SysWOW64\wrap_oal.dll

Filesize
434KB

MD5
d494267bc169604fac5e3679b9a97fed

SHA1
c093ce5a4f7dc40f7f604945bd1facfb2c805c4b

SHA256
a4e46e6d09c4b0966824a2f6628ebf738e813672692a52a0d63d982e1030ef4f

SHA512
7cfcfb570ecfa974054b5285c7d6ad3bccf502866ea70789750c3748394cb0991d1fa6dec9c50a506dbc697953663ec2605277a4451098bb8cd6699c4e506040

Download Submit
C:\Windows\SysWOW64\wrap_oal.dll

Filesize
434KB

MD5
d494267bc169604fac5e3679b9a97fed

SHA1
c093ce5a4f7dc40f7f604945bd1facfb2c805c4b

SHA256
a4e46e6d09c4b0966824a2f6628ebf738e813672692a52a0d63d982e1030ef4f

SHA512
7cfcfb570ecfa974054b5285c7d6ad3bccf502866ea70789750c3748394cb0991d1fa6dec9c50a506dbc697953663ec2605277a4451098bb8cd6699c4e506040

Download Submit
C:\Windows\SysWOW64\wrap_oal.dll

Filesize
434KB

MD5
d494267bc169604fac5e3679b9a97fed

SHA1
c093ce5a4f7dc40f7f604945bd1facfb2c805c4b

SHA256
a4e46e6d09c4b0966824a2f6628ebf738e813672692a52a0d63d982e1030ef4f

SHA512
7cfcfb570ecfa974054b5285c7d6ad3bccf502866ea70789750c3748394cb0991d1fa6dec9c50a506dbc697953663ec2605277a4451098bb8cd6699c4e506040

Download Submit
C:\Windows\SysWOW64\wrap_oal.dll

Filesize
434KB

MD5
d494267bc169604fac5e3679b9a97fed

SHA1
c093ce5a4f7dc40f7f604945bd1facfb2c805c4b

SHA256
a4e46e6d09c4b0966824a2f6628ebf738e813672692a52a0d63d982e1030ef4f

SHA512
7cfcfb570ecfa974054b5285c7d6ad3bccf502866ea70789750c3748394cb0991d1fa6dec9c50a506dbc697953663ec2605277a4451098bb8cd6699c4e506040

Download Submit
C:\Windows\SysWOW64\wrap_oal.dll

Filesize
434KB

MD5
d494267bc169604fac5e3679b9a97fed

SHA1
c093ce5a4f7dc40f7f604945bd1facfb2c805c4b

SHA256
a4e46e6d09c4b0966824a2f6628ebf738e813672692a52a0d63d982e1030ef4f

SHA512
7cfcfb570ecfa974054b5285c7d6ad3bccf502866ea70789750c3748394cb0991d1fa6dec9c50a506dbc697953663ec2605277a4451098bb8cd6699c4e506040

Download Submit
C:\Windows\SysWOW64\wrap_oal.dll

Filesize
434KB

MD5
d494267bc169604fac5e3679b9a97fed

SHA1
c093ce5a4f7dc40f7f604945bd1facfb2c805c4b

SHA256
a4e46e6d09c4b0966824a2f6628ebf738e813672692a52a0d63d982e1030ef4f

SHA512
7cfcfb570ecfa974054b5285c7d6ad3bccf502866ea70789750c3748394cb0991d1fa6dec9c50a506dbc697953663ec2605277a4451098bb8cd6699c4e506040

Download Submit
C:\Windows\SysWOW64\wrap_oal.dll

Filesize
434KB

MD5
d494267bc169604fac5e3679b9a97fed

SHA1
c093ce5a4f7dc40f7f604945bd1facfb2c805c4b

SHA256
a4e46e6d09c4b0966824a2f6628ebf738e813672692a52a0d63d982e1030ef4f

SHA512
7cfcfb570ecfa974054b5285c7d6ad3bccf502866ea70789750c3748394cb0991d1fa6dec9c50a506dbc697953663ec2605277a4451098bb8cd6699c4e506040

Download Submit
C:\Windows\SysWOW64\wrap_oal.dll

Filesize
434KB

MD5
d494267bc169604fac5e3679b9a97fed

SHA1
c093ce5a4f7dc40f7f604945bd1facfb2c805c4b

SHA256
a4e46e6d09c4b0966824a2f6628ebf738e813672692a52a0d63d982e1030ef4f

SHA512
7cfcfb570ecfa974054b5285c7d6ad3bccf502866ea70789750c3748394cb0991d1fa6dec9c50a506dbc697953663ec2605277a4451098bb8cd6699c4e506040

Download Submit
C:\Windows\SysWOW64\wrap_oal.dll

Filesize
434KB

MD5
d494267bc169604fac5e3679b9a97fed

SHA1
c093ce5a4f7dc40f7f604945bd1facfb2c805c4b

SHA256
a4e46e6d09c4b0966824a2f6628ebf738e813672692a52a0d63d982e1030ef4f

SHA512
7cfcfb570ecfa974054b5285c7d6ad3bccf502866ea70789750c3748394cb0991d1fa6dec9c50a506dbc697953663ec2605277a4451098bb8cd6699c4e506040

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
0d04c384d040680390927a39f9184f9e

SHA1
16c2f616401f07f52cb2ce1a0f53faf4e62caee1

SHA256
fa4798438ef07da997edccb0cf204170e8f03a200535ab3dc9fb5000d6183bea

SHA512
167edaf4e68a82a252042ebfb4d71e5d8ab6f5cf2337f0e00a2d37a1156d8748c10aed16c6a757ff7fe98444ab631eb5b668769aa2e546ca25eaf205c2d62eb3

Download Submit
\??\Volume{06969d78-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{df466ac6-b3e3-445c-b2f7-d9a3a2a94538}_OnDiskSnapshotProp

Filesize
5KB

MD5
12364cdb71d3965c0490cdbd3269ed7c

SHA1
10f2accaef57fdd54ca4e3172d250473e32c5ff3

SHA256
1ee9d2441f639b9c9d1347e0fadc98cbb249a4f6445ec1238661bf9edc28889e

SHA512
0eb8af9ad28d8b256270cbe541329c2f1d9c7a0e6e8592fbbeed3cc5edac10d06f535aa2b11b9653a796124097c2f7abbfa27630e6c172e0528af49c8b946a51

Download Submit
memory/1432-222-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/1432-220-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/1432-216-0x000000000DE80000-0x000000000E2D8000-memory.dmp

Filesize
4.3MB

Download
memory/1432-215-0x000000000DDE0000-0x000000000DDF9000-memory.dmp

Filesize
100KB

Download
memory/1432-214-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/2816-180-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/2816-151-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/2816-179-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/2816-169-0x000000000E780000-0x000000000E799000-memory.dmp

Filesize
100KB

Download
memory/2816-173-0x000000000E8D0000-0x000000000ED28000-memory.dmp

Filesize
4.3MB

Download
memory/3152-226-0x000000000E2D0000-0x000000000E728000-memory.dmp

Filesize
4.3MB

Download
memory/3152-225-0x000000000B430000-0x000000000B449000-memory.dmp

Filesize
100KB

Download
memory/3152-224-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3152-223-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3408-132-0x0000000000000000-mapping.dmp

Download
memory/4696-133-0x0000000000000000-mapping.dmp

Download
memory/4940-221-0x0000000000000000-mapping.dmp

Download
memory/5004-199-0x000000000DF30000-0x000000000DF49000-memory.dmp

Filesize
100KB

Download
memory/5004-194-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/5004-193-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/5004-202-0x000000000E090000-0x000000000E4E8000-memory.dmp

Filesize
4.3MB

Download
memory/5004-209-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download