2b0e05e169643319074f306153e55f2d839adb0378d6e721c04198233b892bfa

Resubmissions

18/06/2024, 07:57

240618-jtd71sthkb 1

01/06/2024, 14:06

240601-rehwnaec6y 1

29/12/2022, 21:46

221229-1mryzaec36 8

Analysis

max time kernel
267s
max time network
270s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2022, 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MinecraftInstaller.exe
Size

31.8MB
MD5

24c96f96660bcedbf8648c8e43c3630c
SHA1

127dbeec1e9a7b8db42704172ba9e9bae0269754
SHA256

2b0e05e169643319074f306153e55f2d839adb0378d6e721c04198233b892bfa
SHA512

ed01d726284b92f0c594db2b4644903109c1f7ec650b6572207d1f1d8fe26e97dd3d89df6296b625023f0c63148b5ae543db21573c60aa487c57414219e3916c
SSDEEP

393216:Ubekuyo9nMK50UGRXLePuq2ZWy/c5zFviMKe2OHmwv9CsTmsueFFza9yt:vZn/G4Gqk1cWe2iTVCMue3T

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1588	gameinputsvc.exe
212	gameinputsvc.exe

Registers COM server for autorun 1 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{25209EC2-1BAD-45AB-AC18-42396DF52294}\InProcServer32	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{25209EC2-1BAD-45AB-AC18-42396DF52294}\InProcServer32\ = "C:\\Windows\\system32\\GamingServicesProxy.dll"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{25209EC2-1BAD-45AB-AC18-42396DF52294}\InProcServer32\ThreadingModel = "Both"	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FBA5170-10C4-4185-89E3-2D8389223563}\InProcServer32	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FBA5170-10C4-4185-89E3-2D8389223563}\InProcServer32\ = "C:\\Program Files\\WindowsApps\\Microsoft.GamingServices_8.71.12001.0_x64__8wekyb3d8bbwe\\InstallServicePlugin.dll"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FBA5170-10C4-4185-89E3-2D8389223563}\InProcServer32\ThreadingModel = "Both"	GamingServices.exe

Loads dropped DLL 3 IoCs

pid	Process
1348	svchost.exe
212	gameinputsvc.exe
64	Process not Found

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{CA935D70-369D-4CB7-BFEA-E9B4ED767CD6}.catalogItem	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{D3A13171-7966-4CE6-9FED-0EFA5574DB9C}.checkpoint	svchost.exe
File created	C:\Windows\system32\xgamecontrol.exe	GamingServices.exe
File created	C:\Windows\system32\xgamehelper.exe	GamingServices.exe
File opened for modification	C:\Windows\system32\GameInputRedist.dll	gameinputsvc.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{755cee0c-d31b-9545-8ecb-76420d9d775d}\gameflt.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\gameflt.inf_amd64_6284700d01a44dd9\gameflt.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\gameflt.inf_amd64_6284700d01a44dd9\gameflt.cat	DrvInst.exe
File created	C:\Windows\system32\gamingservicesproxy.dll	GamingServices.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b6527a19-5cb0-5c40-a482-fca6dcb9f6fc}\xvdd.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{755cee0c-d31b-9545-8ecb-76420d9d775d}\SETC4FE.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\gameflt.inf_amd64_6284700d01a44dd9\gameflt.inf	DrvInst.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{D3A13171-7966-4CE6-9FED-0EFA5574DB9C}.checkpoint	svchost.exe
File created	C:\Windows\system32\gamingtcuihelpers.dll	GamingServices.exe
File created	C:\Windows\System32\DriverStore\Temp\{b6527a19-5cb0-5c40-a482-fca6dcb9f6fc}\SETBFAC.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{b6527a19-5cb0-5c40-a482-fca6dcb9f6fc}\SETBFCD.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b6527a19-5cb0-5c40-a482-fca6dcb9f6fc}\SETBFCE.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{b6527a19-5cb0-5c40-a482-fca6dcb9f6fc}\SETBFCE.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\gameflt.inf_amd64_6284700d01a44dd9\gameflt.sys	DrvInst.exe
File created	C:\Windows\system32\gameplatformservices.dll	GamingServices.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\xvdd.inf_amd64_eae73d4477526335\xvdd.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{755cee0c-d31b-9545-8ecb-76420d9d775d}\SETC4EC.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{755cee0c-d31b-9545-8ecb-76420d9d775d}\gameflt.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\gameflt.inf_amd64_6284700d01a44dd9\gameflt.inf	DrvInst.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{7CAB8E08-8684-47BA-A44E-93B1BABC7248}.catalogItem	svchost.exe
File opened for modification	C:\Windows\system32\xgameruntime.dll	GamingServices.exe
File created	C:\Windows\system32\GameInputRedist.dll	gameinputsvc.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\xvdd.inf_amd64_eae73d4477526335\xvdd.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{755cee0c-d31b-9545-8ecb-76420d9d775d}\SETC4EC.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\gameflt.inf_amd64_6284700d01a44dd9\gameflt.sys	DrvInst.exe
File created	C:\Windows\system32\xgameruntime.dll	GamingServices.exe
File created	C:\Windows\system32\gameconfighelper.dll	GamingServices.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b6527a19-5cb0-5c40-a482-fca6dcb9f6fc}\SETBFCD.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{755cee0c-d31b-9545-8ecb-76420d9d775d}\gameflt.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\gameflt.inf_amd64_6284700d01a44dd9	DrvInst.exe
File created	C:\Windows\system32\gamelaunchhelper.dll	GamingServices.exe
File created	C:\Windows\SysWOW64\GameInputRedist.dll	gameinputsvc.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b6527a19-5cb0-5c40-a482-fca6dcb9f6fc}\SETBFAC.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b6527a19-5cb0-5c40-a482-fca6dcb9f6fc}\xvdd.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b6527a19-5cb0-5c40-a482-fca6dcb9f6fc}\xvdd.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\xvdd.inf_amd64_eae73d4477526335\xvdd.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b6527a19-5cb0-5c40-a482-fca6dcb9f6fc}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{755cee0c-d31b-9545-8ecb-76420d9d775d}\SETC4ED.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{755cee0c-d31b-9545-8ecb-76420d9d775d}\SETC4ED.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{755cee0c-d31b-9545-8ecb-76420d9d775d}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{755cee0c-d31b-9545-8ecb-76420d9d775d}\SETC4FE.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft GameInput\x64\gameinput.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft GameInput\x64\gameinputredist.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft GameInput\x64\gameinputsvc.exe	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Catalogs\catbfd5519c2b57eb0ee9fe1d5b706a7b44.cat	msiexec.exe
File created	C:\Program Files (x86)\Microsoft GameInput\x86\gameinput.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft GameInput\x86\gameinputredist.dll	msiexec.exe
File created	C:\Program Files (x86)\Windows Kits\10\Catalogs\catded785c75b3d3adeef26e53fee6beba8.cat	msiexec.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{6BBE9278-659F-FA16-E4B8-C2D60DE0DCC7}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB6F2.tmp	msiexec.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e59b2fd.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	GamingServices.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\Installer\e59b2fa.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.pnf	DrvInst.exe
File opened for modification	C:\Windows\Installer\e59b2fa.msi	msiexec.exe
File opened for modification	C:\Windows\inf\oem2.inf	DrvInst.exe
File created	C:\Windows\inf\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	GamingServices.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	GamingServices.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	GamingServices.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	GamingServices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	GamingServices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	GamingServices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	GamingServices.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	GamingServices.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	GamingServices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	GamingServices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	gameinputsvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	gameinputsvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	GamingServices.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	GamingServices.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	GamingServices.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	GamingServices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	GamingServices.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	GamingServices.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	GamingServices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	GamingServices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	GamingServices.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	GamingServices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	GamingServices.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	gameinputsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	GamingServices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	GamingServices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	gameinputsvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	GamingServices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	GamingServices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	GamingServices.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	gameinputsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	gameinputsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	gameinputsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{BAEE68FB-2B54-4DE3-BECC-4FF62E89ABAF}\ApplicationFlags = "1"	GamingServices.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	gameinputsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	gameinputsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	gameinputsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	gameinputsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	gameinputsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	gameinputsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	gameinputsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	gameinputsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	gameinputsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	gameinputsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	gameinputsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E	gameinputsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property	GamingServices.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1"	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	gameinputsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	gameinputsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption"	gameinputsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	gameinputsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	gameinputsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6F4C14F1-68A8-4DAC-93CA-AC4BD6A2F91C}\ProxyStubClsid32	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9040DF33-5862-4B1F-872A-2FB54951A60E}\ProxyStubClsid32\ = "{25209EC2-1BAD-45AB-AC18-42396DF52294}"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{516CF1AD-972B-454E-BAAD-44063CE034B8}\ = "IEnumGamePlatformPackageSpecifiers"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E652A68A-88A2-45BF-8D2E-7404278C7F8A}\ = "IGameAppExtensions"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{c4ffeb73-c9fc-44f1-930b-ad0254e8270f}\ = "IUserPropertiesChangedArgs"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6f070d63-df98-4865-ad33-809b89dcf0ef}\ProxyStubClsid32\ = "{25209EC2-1BAD-45AB-AC18-42396DF52294}"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3AC85287-EEC3-40C4-B86A-853CDCCC0559}\ = "IXGameSaveService"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1CD4BEF6-AEB3-41D7-ABBC-61C35CCBD4AD}\AppId = "{2964DB41-BAE4-4996-A0A0-D036BFFDC267}"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6FF479-E54E-4786-AC2A-10D35C5B93A7}\ = "IXGameSaveBlobQueryHandler"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B8040B92-21EA-48C3-882B-45B69FF04AF4}\ProxyStubClsid32\ = "{25209EC2-1BAD-45AB-AC18-42396DF52294}"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7025B35A-849F-49CB-BBFD-EEA00E5C2A01}\ProxyStubClsid32\ = "{25209EC2-1BAD-45AB-AC18-42396DF52294}"	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{483DCCC8-BEF4-4268-9F88-82D758F22B62}\SynchronousInterface	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C8B9BA5-D030-44F8-819E-EA04BE3CC9C8}\ = "IGamePlatformGameSaveService"	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C0947C0-A113-47D8-ACC2-1F3FB425EA88}	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5d3910a4-74e0-4cf1-bfad-50b1c6522cfa}	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E4B5CFBF-8BBE-4F20-ACC8-9840410FA851}\AppId = "{2964DB41-BAE4-4996-A0A0-D036BFFDC267}"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE84CFB-60D0-48BD-A7B8-2EA8D5862282}\ = "IEnumPackageInstallFeatures"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80E6F60D-CDEB-4A5E-86FF-C45DFFA775DC}\ProxyStubClsid32\ = "{25209EC2-1BAD-45AB-AC18-42396DF52294}"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7819FFCA-EFF3-45AD-B95A-810DADD84AAB}\ProxyStubClsid32\ = "{25209EC2-1BAD-45AB-AC18-42396DF52294}"	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B8040B92-21EA-48C3-882B-45B69FF04AF4}\ProxyStubClsid32	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29EF372A-D438-4FAF-A173-8E109B0F675E}\ = "IEnumInstallId"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4DAB5B8-A025-4A72-84AC-7FE45C6E5456}\SynchronousInterface\ = "{CB48C4B7-2ADA-438F-A9CA-E6ACC3838C4B}"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B7A9F597-904F-42D6-9E3B-7684D049B04E}\ = "GamePlatformCustomizationService"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C30D27D6-20E1-4E42-87E1-6BE72E5F1388}\ProxyStubClsid32\ = "{25209EC2-1BAD-45AB-AC18-42396DF52294}"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7819FFCA-EFF3-45AD-B95A-810DADD84AAB}\ = "IGamePlatformConfigService"	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ddacfd60-1b49-4657-bafc-e062b6e1e7a2}\ProxyStubClsid32	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6f070d63-df98-4865-ad33-809b89dcf0ef}	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3AC85287-EEC3-40C4-B86A-853CDCCC0559}\ProxyStubClsid32\ = "{25209EC2-1BAD-45AB-AC18-42396DF52294}"	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F48B00E-45A9-435B-B458-2FFC8FC3AF9E}\ProxyStubClsid32	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{e67d6fbc-a1cf-56c1-b374-9043bc3c5c58}\ProxyStubClsid32	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F6A5D79E-AE9D-4CAC-BBCC-7F145E07EC2A}\ProxyStubClsid32\ = "{25209EC2-1BAD-45AB-AC18-42396DF52294}"	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13A35C28-08C9-4805-9E85-D7ED759314F9}\ProxyStubClsid32	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F187A451-AC81-4283-935D-2A2C4797D3D6}	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8729EBB6F95661AF4E8B2C6DD00ECD7C\SourceList\LastUsedSource = "n;1;C:\\Program Files\\WindowsApps\\Microsoft.GamingServices_8.71.12001.0_x64__8wekyb3d8bbwe\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{2964DB41-BAE4-4996-A0A0-D036BFFDC267}\ = "GamingServices"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{846A35A8-E4C9-4C4D-AC26-1B425AA218C6}\ = "IGamePlatformCustomizationService"	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C8B9BA5-D030-44F8-819E-EA04BE3CC9C8}\ProxyStubClsid32	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A12C8BE7-9A85-4565-966D-C9C3C8617D41}\ProxyStubClsid32\ = "{25209EC2-1BAD-45AB-AC18-42396DF52294}"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AE51CF4F-D657-41C0-AC3B-7218A32CA524}\ = "IUsersUiProvider"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4D2BF08-1409-4918-9D84-32EE00E9178C}\ = "AsyncIXGameSaveReadHandler"	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CE3E855-E7D0-4B3A-8C65-867C37739E45}	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49E253A2-F974-4B44-8400-75C9A2B48708}	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C8ADF3-BBC4-46B2-BD96-E9105D203438}\ = "IUsersClientWindows"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4FCE4871-593B-44CC-9868-AAA631C5D2D7}\ = "GamePlatformProcessMonitorService"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B7A9F597-904F-42D6-9E3B-7684D049B04E}\LocalService = "GamingServices"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EA477743-75BC-472B-84ED-275E0D70F423}\LocalService = "GamingServices"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4FF525D5-AC7F-4D25-8CEC-23686C02A7C9}\LocalService = "GamingServices"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{36366C1F-B5FF-42B3-A4E8-03DD891A56CC}\ = "IGamePlatformXRuntimeClient"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7025B35A-849F-49CB-BBFD-EEA00E5C2A01}\AsynchronousInterface\ = "{483DCCC8-BEF4-4268-9F88-82D758F22B62}"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{05BE69B0-B0CD-4DDF-B3F4-735165435D93}\LocalService = "GamingServices"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0796012e-ba5d-43f2-add1-b2aacf6e0eda}\ProxyStubClsid32\ = "{25209EC2-1BAD-45AB-AC18-42396DF52294}"	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CB48C4B7-2ADA-438F-A9CA-E6ACC3838C4B}	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C0947C0-A113-47D8-ACC2-1F3FB425EA88}\ProxyStubClsid32	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1FEC1B52-5B90-4316-B6B2-CBEEE255C3D7}\ = "IGamePlatformXRuntimeServer"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D48B9253-BA66-46A7-AC85-8DA49F3A7EFD}\ProxyStubClsid32\ = "{25209EC2-1BAD-45AB-AC18-42396DF52294}"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{81a071a8-08cb-59f3-ade7-8ce0499458f4}\ProxyStubClsid32\ = "{25209EC2-1BAD-45AB-AC18-42396DF52294}"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B7A9F597-904F-42D6-9E3B-7684D049B04E}\AppId = "{2964DB41-BAE4-4996-A0A0-D036BFFDC267}"	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE84CFB-60D0-48BD-A7B8-2EA8D5862282}\ProxyStubClsid32	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D657678E-9088-4EDD-A39F-234AAF6BEBFF}\ProxyStubClsid32\ = "{25209EC2-1BAD-45AB-AC18-42396DF52294}"	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDF97431-ACD1-43E4-87C1-DCDA640F42F3}	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2bee07d0-da2e-459e-b30c-0399c285e809}	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7025B35A-849F-49CB-BBFD-EEA00E5C2A01}	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7025B35A-849F-49CB-BBFD-EEA00E5C2A01}\ = "IXGameSaveQueryHandler"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{a88bbde8-607c-507e-8b2f-ff422ef2c8a7}\ = "Windows.Foundation.AsyncOperationCompletedHandler`1<GameCore.Users.IAddUserResult>"	GamingServices.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1856	msiexec.exe
1856	msiexec.exe
212	gameinputsvc.exe
212	gameinputsvc.exe
1912	GamingServices.exe
1912	GamingServices.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4572	MinecraftInstaller.exe
Token: SeShutdownPrivilege	4376	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4376	msiexec.exe
Token: SeSecurityPrivilege	1856	msiexec.exe
Token: SeCreateTokenPrivilege	4376	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4376	msiexec.exe
Token: SeLockMemoryPrivilege	4376	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4376	msiexec.exe
Token: SeMachineAccountPrivilege	4376	msiexec.exe
Token: SeTcbPrivilege	4376	msiexec.exe
Token: SeSecurityPrivilege	4376	msiexec.exe
Token: SeTakeOwnershipPrivilege	4376	msiexec.exe
Token: SeLoadDriverPrivilege	4376	msiexec.exe
Token: SeSystemProfilePrivilege	4376	msiexec.exe
Token: SeSystemtimePrivilege	4376	msiexec.exe
Token: SeProfSingleProcessPrivilege	4376	msiexec.exe
Token: SeIncBasePriorityPrivilege	4376	msiexec.exe
Token: SeCreatePagefilePrivilege	4376	msiexec.exe
Token: SeCreatePermanentPrivilege	4376	msiexec.exe
Token: SeBackupPrivilege	4376	msiexec.exe
Token: SeRestorePrivilege	4376	msiexec.exe
Token: SeShutdownPrivilege	4376	msiexec.exe
Token: SeDebugPrivilege	4376	msiexec.exe
Token: SeAuditPrivilege	4376	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4376	msiexec.exe
Token: SeChangeNotifyPrivilege	4376	msiexec.exe
Token: SeRemoteShutdownPrivilege	4376	msiexec.exe
Token: SeUndockPrivilege	4376	msiexec.exe
Token: SeSyncAgentPrivilege	4376	msiexec.exe
Token: SeEnableDelegationPrivilege	4376	msiexec.exe
Token: SeManageVolumePrivilege	4376	msiexec.exe
Token: SeImpersonatePrivilege	4376	msiexec.exe
Token: SeCreateGlobalPrivilege	4376	msiexec.exe
Token: SeRestorePrivilege	1856	msiexec.exe
Token: SeTakeOwnershipPrivilege	1856	msiexec.exe
Token: SeRestorePrivilege	1856	msiexec.exe
Token: SeTakeOwnershipPrivilege	1856	msiexec.exe
Token: SeRestorePrivilege	1856	msiexec.exe
Token: SeTakeOwnershipPrivilege	1856	msiexec.exe
Token: SeTcbPrivilege	1588	gameinputsvc.exe
Token: SeRestorePrivilege	1856	msiexec.exe
Token: SeTakeOwnershipPrivilege	1856	msiexec.exe
Token: SeRestorePrivilege	1856	msiexec.exe
Token: SeTakeOwnershipPrivilege	1856	msiexec.exe
Token: SeRestorePrivilege	1856	msiexec.exe
Token: SeTakeOwnershipPrivilege	1856	msiexec.exe
Token: SeRestorePrivilege	1856	msiexec.exe
Token: SeTakeOwnershipPrivilege	1856	msiexec.exe
Token: SeRestorePrivilege	1856	msiexec.exe
Token: SeTakeOwnershipPrivilege	1856	msiexec.exe
Token: SeRestorePrivilege	1856	msiexec.exe
Token: SeTakeOwnershipPrivilege	1856	msiexec.exe
Token: SeRestorePrivilege	1856	msiexec.exe
Token: SeTakeOwnershipPrivilege	1856	msiexec.exe
Token: SeRestorePrivilege	1856	msiexec.exe
Token: SeTakeOwnershipPrivilege	1856	msiexec.exe
Token: SeRestorePrivilege	1856	msiexec.exe
Token: SeTakeOwnershipPrivilege	1856	msiexec.exe
Token: SeRestorePrivilege	1856	msiexec.exe
Token: SeTakeOwnershipPrivilege	1856	msiexec.exe
Token: SeRestorePrivilege	1856	msiexec.exe
Token: SeTakeOwnershipPrivilege	1856	msiexec.exe
Token: SeRestorePrivilege	1856	msiexec.exe
Token: SeTakeOwnershipPrivilege	1856	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 4376	1912	GamingServices.exe	96
PID 1912 wrote to memory of 4376	1912	GamingServices.exe	96
PID 1588 wrote to memory of 212	1588	gameinputsvc.exe	100
PID 1588 wrote to memory of 212	1588	gameinputsvc.exe	100
PID 2932 wrote to memory of 4152	2932	svchost.exe	102
PID 2932 wrote to memory of 4152	2932	svchost.exe	102
PID 2932 wrote to memory of 4516	2932	svchost.exe	104
PID 2932 wrote to memory of 4516	2932	svchost.exe	104
PID 2932 wrote to memory of 4636	2932	svchost.exe	105
PID 2932 wrote to memory of 4636	2932	svchost.exe	105
PID 2932 wrote to memory of 2524	2932	svchost.exe	106
PID 2932 wrote to memory of 2524	2932	svchost.exe	106
PID 2932 wrote to memory of 3116	2932	svchost.exe	107
PID 2932 wrote to memory of 3116	2932	svchost.exe	107

C:\Users\Admin\AppData\Local\Temp\MinecraftInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\MinecraftInstaller.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:1348
- C:\Windows\system32\svchost.exe
  "svchost.exe"
  2⤵
  PID:4608

C:\Program Files\WindowsApps\Microsoft.GamingServices_8.71.12001.0_x64__8wekyb3d8bbwe\GamingServices.exe
"C:\Program Files\WindowsApps\Microsoft.GamingServices_8.71.12001.0_x64__8wekyb3d8bbwe\GamingServices.exe"
1⤵
- Registers COM server for autorun
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\system32\msiexec.exe
  C:\Windows\system32\msiexec.exe /i "C:\Program Files\WindowsApps\Microsoft.GamingServices_8.71.12001.0_x64__8wekyb3d8bbwe\gameinputredist.msi" /quiet /l*v "C:\Windows\TEMP\gameinputredist.log"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4376

C:\Program Files\WindowsApps\Microsoft.GamingServices_8.71.12001.0_x64__8wekyb3d8bbwe\GamingServicesNet.exe
"C:\Program Files\WindowsApps\Microsoft.GamingServices_8.71.12001.0_x64__8wekyb3d8bbwe\GamingServicesNet.exe"
1⤵
PID:1960

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Program Files (x86)\Microsoft GameInput\x64\gameinputsvc.exe
"C:\Program Files (x86)\Microsoft GameInput\x64\gameinputsvc.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Program Files (x86)\Microsoft GameInput\x64\gameinputsvc.exe
  "C:\Program Files (x86)\Microsoft GameInput\x64\gameinputsvc.exe" Global\GameInputSession_1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Windows\TEMP\{c933e723-3f6d-2644-822e-1e9d30e8b7cc}\xvdd.inf" "9" "4ecdd1eeb" "0000000000000148" "Service-0x0-3e7$\Default" "0000000000000164" "208" "C:\Program Files\WindowsApps\Microsoft.GamingServices_8.71.12001.0_x64__8wekyb3d8bbwe\drivers"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4152
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "1" "0" "SWD\XvddEnum\XvddRootDevice_Instance" "" "" "48fe919b3" "0000000000000000"
  2⤵
  - Drops file in Windows directory
  PID:4516
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Windows\TEMP\{fd8adb4e-7b5f-2b49-8727-f70d353c189a}\gameflt.inf" "9" "41bf4167f" "0000000000000164" "Service-0x0-3e7$\Default" "0000000000000160" "208" "C:\Program Files\WindowsApps\Microsoft.GamingServices_8.71.12001.0_x64__8wekyb3d8bbwe\drivers"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4636
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\gameflt.inf_amd64_6284700d01a44dd9\gameflt.inf" "0" "41bf4167f" "0000000000000178" "Service-0x0-3e7$\Default"
  2⤵
  - Drops file in Windows directory
  PID:2524
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "5" "2" "C:\Windows\System32\DriverStore\FileRepository\gameflt.inf_amd64_6284700d01a44dd9\gameflt.inf" "0" "4e7d9c3d3" "0000000000000164" "Service-0x0-3e7$\Default"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:3116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft GameInput\x64\GameInputRedist.dll

Filesize
309KB

MD5
4e24767339e4fba8a58743bebed614fe

SHA1
f7c509725564e7d1cf4aaccfa6d902b2baec6b3e

SHA256
6bb2493a395eebb9ba027202c76257ca0690788849ae48aba7f3c4d6920510b6

SHA512
0cfcd3be6ff7ff453759b599666a1f91c45c02a4db2b5c51654edbcaaaaff31dcb030a7456789703762482b2f5168a9b22030462addfecfc845d8b628739c2ba

Download Submit
C:\Program Files (x86)\Microsoft GameInput\x64\gameinputsvc.exe

Filesize
89KB

MD5
a7fc52c5d696905d21add3993f65c167

SHA1
0fcab224024b27a30674e37356819dc5b6eb257d

SHA256
d700523c0803c3224761307ffbc26b8d7e77d6bd58a19647fcae76f2d62f71cb

SHA512
288d2f7495dcb6c994db96df17c565b75fbb506439eac9e71b0a45e93e9be05a2d2d76a2a95b84658a31db32321c651a33be70f4e8ca17c0ceecf220692a61a8

Download Submit
C:\Program Files (x86)\Microsoft GameInput\x64\gameinputsvc.exe

Filesize
89KB

MD5
a7fc52c5d696905d21add3993f65c167

SHA1
0fcab224024b27a30674e37356819dc5b6eb257d

SHA256
d700523c0803c3224761307ffbc26b8d7e77d6bd58a19647fcae76f2d62f71cb

SHA512
288d2f7495dcb6c994db96df17c565b75fbb506439eac9e71b0a45e93e9be05a2d2d76a2a95b84658a31db32321c651a33be70f4e8ca17c0ceecf220692a61a8

Download Submit
C:\Program Files (x86)\Microsoft GameInput\x86\GameInputRedist.dll

Filesize
194KB

MD5
0f2dce8e055ddfbc411d61d8be0865aa

SHA1
83b5d12b40dc5773f37188ad2f789f38c81e7a27

SHA256
624a69ec4e26ef82ee5812c3322af03f2bb9aa03c31c38a19fea89e6c46399a6

SHA512
2c2ec83d46d6372400f37b75b79e57af2cca1d46469f925d3dc5ad20284c9c2c1d2f9f6befcd3e1e3f59536c81205da6df61585a3da4cf4bfb9339364c62e527

Download Submit
C:\Windows\SYSTEM32\gameplatformservices.dll

Filesize
449KB

MD5
9f20e413755a01138104efd82d8f625b

SHA1
46d76e8df934ea76ea26b1492e26f72d72145086

SHA256
6edef18b5066d5e2105119e9ec764ce273ab3397d0cc61b9d4574b0ee9af7af3

SHA512
4b2f496b3f29dbb6d106efc23a14c4d1cb543690eb19e09d8fb33f20505af229992e5afb149af053edff4023e9b097ef98734be9ab70e5e12a52259e3673f686

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
2KB

MD5
48da913a87044ed6e4774582c40b3040

SHA1
7ca19dea0e3b9b51c72def364a089ec70207c523

SHA256
98402158b572a7a284198e35b648d0fbb062c94086c5b42f63111c80320a33b7

SHA512
d93369c6b236accd868c364e2e2e3a83617e7828b39912e55767a6361aa7ccda06406fc4b8832649819ebc0ec4786925a48c82e7a9f23134ca8f8c23fc67dc82

Download Submit
C:\Windows\System32\DriverStore\FileRepository\gameflt.inf_amd64_6284700d01a44dd9\gameflt.cat

Filesize
11KB

MD5
97bae2895240df0703cd2b4c4b26369a

SHA1
cd864ce39287dbd3cf05ddbe1979872410e02e24

SHA256
d163d13b6d29227eb275f39fcd84a594b5476371c4953358c943b7858501ea82

SHA512
e731eeb561bdfe87ca16c468481dbeb0efd893e6fade3e8932b51d59743e739e7262bed12c4a8446fe46efbf80989adab4913b99093437160b617017a101d196

Download Submit
C:\Windows\System32\DriverStore\FileRepository\gameflt.inf_amd64_6284700d01a44dd9\gameflt.inf

Filesize
2KB

MD5
838b501597050731b5898710a2389c17

SHA1
a4729ebdbb824ff91fc21dccc2bae7459f5353fb

SHA256
8fdc80cf6bce891ed4a2dfcbb049083f352c54ae75ed039a8cee9373192dfa16

SHA512
3a689d850e194757c46838ac38c52ad34e85f515a925cb35a8935d86467f33e53454ac705f7fef7f9aa72907511f6ef384c143d3836acaa49d94a240d169882f

Download Submit
C:\Windows\System32\DriverStore\FileRepository\gameflt.inf_amd64_6284700d01a44dd9\gameflt.sys

Filesize
147KB

MD5
44559b9f38c85b0f33725978a3bfda69

SHA1
6e6d84ad324bb93e5d22240e2caedc8a26c8e9be

SHA256
01d0afd8345be9d32ca33c8b77a0ac2e9c5e460b8b787e3fbd5c83d0e97b39e2

SHA512
12bd911564f5535bf9c17e0be4980922356071b5c7d61682e48f368beff755350bdfad3fbe5e69905b9355bfa339b98b36fb9db2a5a4229f99bd17c108bf98e7

Download Submit
C:\Windows\System32\DriverStore\FileRepository\xvdd.inf_amd64_eae73d4477526335\xvdd.inf

Filesize
1KB

MD5
a8fb1dc60adc6780fc29477b381c18df

SHA1
8e4318fb70cd6f2d1dc762204d699632924b3b4f

SHA256
80ec0504e48def867cdbb27d4d74c17767281c3baf21677f4ba154c1c147025e

SHA512
21d95d28a3f73e14c95aa194a07f9bb361865022b679ec53c82245b4e889368f88a4c9eb3de7d729d96b5378ed28934b374e58bdd796d4dbd4098103f558b307

Download Submit
C:\Windows\System32\GameInputRedist.dll

Filesize
309KB

MD5
4e24767339e4fba8a58743bebed614fe

SHA1
f7c509725564e7d1cf4aaccfa6d902b2baec6b3e

SHA256
6bb2493a395eebb9ba027202c76257ca0690788849ae48aba7f3c4d6920510b6

SHA512
0cfcd3be6ff7ff453759b599666a1f91c45c02a4db2b5c51654edbcaaaaff31dcb030a7456789703762482b2f5168a9b22030462addfecfc845d8b628739c2ba

Download Submit
C:\Windows\System32\GameInputRedist.dll

Filesize
309KB

MD5
4e24767339e4fba8a58743bebed614fe

SHA1
f7c509725564e7d1cf4aaccfa6d902b2baec6b3e

SHA256
6bb2493a395eebb9ba027202c76257ca0690788849ae48aba7f3c4d6920510b6

SHA512
0cfcd3be6ff7ff453759b599666a1f91c45c02a4db2b5c51654edbcaaaaff31dcb030a7456789703762482b2f5168a9b22030462addfecfc845d8b628739c2ba

Download Submit
C:\Windows\System32\gameplatformservices.dll

Filesize
449KB

MD5
9f20e413755a01138104efd82d8f625b

SHA1
46d76e8df934ea76ea26b1492e26f72d72145086

SHA256
6edef18b5066d5e2105119e9ec764ce273ab3397d0cc61b9d4574b0ee9af7af3

SHA512
4b2f496b3f29dbb6d106efc23a14c4d1cb543690eb19e09d8fb33f20505af229992e5afb149af053edff4023e9b097ef98734be9ab70e5e12a52259e3673f686

Download Submit
C:\Windows\TEMP\gameinputredist.log

Filesize
1KB

MD5
a2d37173f18fb0bcc843fd5c708c3007

SHA1
15224bbc9050551aae1c0e0870c1369dab6cadb2

SHA256
ad8041cffc3d243aa59f37b617808d64699bb74b5be34c62f6c7ae6b44616429

SHA512
5104c5e75e61402d452e4aac5b51550206031cbe9118bbf4aaf7e8d86b9477a7a239bc456caba516081cf74ca291a0700223b5f3d5865d7e775fcf89b223c114

Download Submit
C:\Windows\TEMP\{C933E~1\xvdd.cat

Filesize
11KB

MD5
a9445e4d7e7a561b252aad7a1bed1e5f

SHA1
2171d312cef14843249bf197d5a9db6727f7a581

SHA256
3d46434d8a331a9f97b4b68449f520945ba325272e14b0944a5890297536a7b4

SHA512
409c2ac68b1cc5511132ccdee160dbe6deed167fe805563b52f7f490117da4e5bfabc9e9977f12cdbab960d4353456e4114cef433529d9d36f20b981841136b7

Download Submit
C:\Windows\TEMP\{C933E~1\xvdd.sys

Filesize
659KB

MD5
a97cc88ebaf58378f16971e6875fe5a1

SHA1
4238e160cfe1cb554951fc49fac7ad0eb88cf944

SHA256
f5cec1a2c850b03f6c5b30c9f5253a2ed0d05318690b9a35f4bf50f0c198d6f9

SHA512
6031bfd32631d69eca431f4af28e1d76c2f3c90e3e621fc1c5ec69a3e13610aca6ea136ff673fd10fa121b3bb051d53e66d5087a06a77624e89c73d97167053d

Download Submit
C:\Windows\TEMP\{FD8AD~1\gameflt.cat

Filesize
11KB

MD5
97bae2895240df0703cd2b4c4b26369a

SHA1
cd864ce39287dbd3cf05ddbe1979872410e02e24

SHA256
d163d13b6d29227eb275f39fcd84a594b5476371c4953358c943b7858501ea82

SHA512
e731eeb561bdfe87ca16c468481dbeb0efd893e6fade3e8932b51d59743e739e7262bed12c4a8446fe46efbf80989adab4913b99093437160b617017a101d196

Download Submit
C:\Windows\TEMP\{FD8AD~1\gameflt.sys

Filesize
147KB

MD5
44559b9f38c85b0f33725978a3bfda69

SHA1
6e6d84ad324bb93e5d22240e2caedc8a26c8e9be

SHA256
01d0afd8345be9d32ca33c8b77a0ac2e9c5e460b8b787e3fbd5c83d0e97b39e2

SHA512
12bd911564f5535bf9c17e0be4980922356071b5c7d61682e48f368beff755350bdfad3fbe5e69905b9355bfa339b98b36fb9db2a5a4229f99bd17c108bf98e7

Download Submit
C:\Windows\TEMP\{c933e723-3f6d-2644-822e-1e9d30e8b7cc}\xvdd.inf

Filesize
1KB

MD5
a8fb1dc60adc6780fc29477b381c18df

SHA1
8e4318fb70cd6f2d1dc762204d699632924b3b4f

SHA256
80ec0504e48def867cdbb27d4d74c17767281c3baf21677f4ba154c1c147025e

SHA512
21d95d28a3f73e14c95aa194a07f9bb361865022b679ec53c82245b4e889368f88a4c9eb3de7d729d96b5378ed28934b374e58bdd796d4dbd4098103f558b307

Download Submit
C:\Windows\TEMP\{fd8adb4e-7b5f-2b49-8727-f70d353c189a}\gameflt.inf

Filesize
2KB

MD5
838b501597050731b5898710a2389c17

SHA1
a4729ebdbb824ff91fc21dccc2bae7459f5353fb

SHA256
8fdc80cf6bce891ed4a2dfcbb049083f352c54ae75ed039a8cee9373192dfa16

SHA512
3a689d850e194757c46838ac38c52ad34e85f515a925cb35a8935d86467f33e53454ac705f7fef7f9aa72907511f6ef384c143d3836acaa49d94a240d169882f

Download Submit
C:\Windows\inf\oem3.inf

Filesize
2KB

MD5
838b501597050731b5898710a2389c17

SHA1
a4729ebdbb824ff91fc21dccc2bae7459f5353fb

SHA256
8fdc80cf6bce891ed4a2dfcbb049083f352c54ae75ed039a8cee9373192dfa16

SHA512
3a689d850e194757c46838ac38c52ad34e85f515a925cb35a8935d86467f33e53454ac705f7fef7f9aa72907511f6ef384c143d3836acaa49d94a240d169882f

Download Submit
\??\c:\windows\system32\gameinputredist.dll

Filesize
309KB

MD5
4e24767339e4fba8a58743bebed614fe

SHA1
f7c509725564e7d1cf4aaccfa6d902b2baec6b3e

SHA256
6bb2493a395eebb9ba027202c76257ca0690788849ae48aba7f3c4d6920510b6

SHA512
0cfcd3be6ff7ff453759b599666a1f91c45c02a4db2b5c51654edbcaaaaff31dcb030a7456789703762482b2f5168a9b22030462addfecfc845d8b628739c2ba

Download Submit
memory/4572-136-0x0000000007730000-0x000000000773E000-memory.dmp

Filesize
56KB

Download
memory/4572-132-0x00000000001E0000-0x00000000021AA000-memory.dmp

Filesize
31.8MB

Download
memory/4572-135-0x000000000BB80000-0x000000000BBB8000-memory.dmp

Filesize
224KB

Download
memory/4572-137-0x00000000027D0000-0x00000000027DA000-memory.dmp

Filesize
40KB

Download
memory/4572-138-0x0000000007FC0000-0x0000000007FE6000-memory.dmp

Filesize
152KB

Download
memory/4572-134-0x000000000BB70000-0x000000000BB78000-memory.dmp

Filesize
32KB

Download
memory/4572-133-0x0000000007C90000-0x0000000007C98000-memory.dmp

Filesize
32KB

Download