3f44ac193cf68ad1309feff3d432122f4a903920dc23ade59a4ff3cf51e12b72

Analysis

max time kernel
231s
max time network
223s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2024, 08:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

GameSetup.7z
Size

3.0MB
MD5

1ebb88eeb566498b86b3575ada884477
SHA1

bafd26b19cd7df726e2d18d821126687bea81ca7
SHA256

3f44ac193cf68ad1309feff3d432122f4a903920dc23ade59a4ff3cf51e12b72
SHA512

932a917331ae4254c26096f8e84c26caf6863b203e472ef953c767b529336394f9e188946f1ed13a554f6fbfe5ab5145425077b440eadb9c0add328d3067a4e9
SSDEEP

98304:itZI4tG+2uzHUse2R5elfEF9vtammGFnB:itOSG+2uzHUXGBSGFB

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	setup.exe

Executes dropped EXE 8 IoCs

pid	Process
1608	setup.exe
1852	NDP472-KB4054530-x86-x64-AllOS-RUS.exe
2460	Setup.exe
5036	sqlwriter.exe
4128	Game Of 15.exe
3872	sqlservr.exe
2412	sqlservr.exe
440	Game Of 15.exe

Loads dropped DLL 64 IoCs

pid	Process
2460	Setup.exe
2460	Setup.exe
3856	MsiExec.exe
3856	MsiExec.exe
3856	MsiExec.exe
3856	MsiExec.exe
3856	MsiExec.exe
3856	MsiExec.exe
3856	MsiExec.exe
3856	MsiExec.exe
3856	MsiExec.exe
3856	MsiExec.exe
3948	MsiExec.exe
3948	MsiExec.exe
3948	MsiExec.exe
3948	MsiExec.exe
3948	MsiExec.exe
5036	sqlwriter.exe
3588	MsiExec.exe
3588	MsiExec.exe
1184	MsiExec.exe
1184	MsiExec.exe
4128	Game Of 15.exe
3872	sqlservr.exe
3872	sqlservr.exe
3872	sqlservr.exe
3872	sqlservr.exe
3872	sqlservr.exe
3872	sqlservr.exe
3872	sqlservr.exe
3872	sqlservr.exe
3872	sqlservr.exe
3872	sqlservr.exe
3872	sqlservr.exe
3872	sqlservr.exe
3872	sqlservr.exe
3872	sqlservr.exe
3872	sqlservr.exe
3872	sqlservr.exe
3872	sqlservr.exe
3872	sqlservr.exe
3872	sqlservr.exe
3872	sqlservr.exe
3872	sqlservr.exe
3872	sqlservr.exe
3872	sqlservr.exe
2412	sqlservr.exe
2412	sqlservr.exe
2412	sqlservr.exe
2412	sqlservr.exe
2412	sqlservr.exe
2412	sqlservr.exe
2412	sqlservr.exe
2412	sqlservr.exe
2412	sqlservr.exe
2412	sqlservr.exe
2412	sqlservr.exe
2412	sqlservr.exe
2412	sqlservr.exe
2412	sqlservr.exe
2412	sqlservr.exe
2412	sqlservr.exe
2412	sqlservr.exe
2412	sqlservr.exe

Registers COM server for autorun 1 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{b5e7a132-a7bd-11d1-84c2-00c04fc21759}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b5e7a132-a7bd-11d1-84c2-00c04fc21759}\InprocServer32\ = "C:\\Program Files\\Microsoft SQL Server\\80\\COM\\sqlvdi.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b5e7a132-a7bd-11d1-84c2-00c04fc21759}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{87BC18DB-C8B3-11D5-AE96-00B0D0E93CC1}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{87BC18DB-C8B3-11D5-AE96-00B0D0E93CC1}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\SQL Debugging\\130\\ssdebugps.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{87BC18DB-C8B3-11D5-AE96-00B0D0E93CC1}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40700425-0080-11d2-851f-00c04fc21759}\InprocServer32\ = "C:\\Program Files\\Microsoft SQL Server\\80\\COM\\sqlvdi.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40700425-0080-11d2-851f-00c04fc21759}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{40700425-0080-11d2-851f-00c04fc21759}\InprocServer32	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Checks system information in the registry 2 TTPs 4 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	sqlservr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	sqlservr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	sqlservr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	sqlservr.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\SqlServerSpatial150.dll	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server\150\LocalDB\Binn\Resources\de-DE\SqlUserInstance.rll.mui	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\Resources\3082\xeclrhostpkg.rll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\Resources\1046\xepackage0.rll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\Resources\3082\xesqlpkg.rll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\Resources\1042\xplog70.rll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\Resources\1031\xesqlminpkg.rll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\Templates\master.mdf	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\Resources\1036\msxmlsql.rll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\SqlUserInstance.dll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\Resources\ja-JP\SqlUserInstance.rll.mui	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\localdbxeventconfig.xml	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\Templates\msdblog.ldf	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\opends60.dll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\sqlboot.dll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\Resources\1028\msxmlsql.rll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\sqlscriptupgrade.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft SQL Server\150\LocalDB\Binn\Resources\zh-CN\SqlUserInstance.rll.mui	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\Resources\2052\xesqlpkg.rll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\Resources\1033\xplog70.rll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\License Terms\License_SqlLocalDB_1042.txt	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\License Terms\License_SqlLocalDB_2052.txt	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\Resources\1041\odsole70.rll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\sqlscriptdowngrade.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft SQL Server\150\LocalDB\Binn\SqlUserInstance.dll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\Resources\1036\xesospkg.rll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\Resources\1036\xeclrhostpkg.rll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\Resources\1046\xesospkg.rll	msiexec.exe
File created	C:\Program Files\Common Files\Microsoft Shared\SQL Debugging\130\ssdebugps.dll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\90\Shared\SqlWriterConfig.ini	sqlwriter.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\Templates\msdbdata.mdf	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\Resources\2052\msxmlsql.rll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\sqlservr.exe	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\Resources\it-IT\SqlUserInstance.rll.mui	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\xmlrwbin.dll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\Resources\1046\xplog70.rll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\Tools\Binn\Resources\SqlLocalDB.rll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft SQL Server\150\LocalDB\Binn\Resources\fr-FR\SqlUserInstance.rll.mui	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\Resources\1031\xepackage0.rll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\Resources\1046\xesqlpkg.rll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\mssqlsystemresource.ldf	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\Resources\1031\xplog70.rll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\etwcnf.xml	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\ru\sqlaccess.resources.dll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\xelocaldbpkg.mof	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\xepkg0.mof	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\Resources\3082\xesqlminpkg.rll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\Resources\1028\XPStar.rll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\License Terms\License_SqlLocalDB_1049.txt	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\odsole70.dll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\Tools\Binn\Resources\zh-CN\SqlLocalDB.rll.mui	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\sqlos.dll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\Resources\fr-FR\SqlUserInstance.rll.mui	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\Resources\1028\xesqlpkg.rll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\hkengine.dll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\sqlDK.dll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\sqlmin.dll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\Resources\1033\xepackage0.rll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\Resources\2052\sqlevn70.rll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft SQL Server\150\LocalDB\Binn\Resources\en-US\SqlUserInstance.rll.mui	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\svl.dll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\Resources\1028\xepackage0.rll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\Resources\1049\odsole70.rll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft SQL Server\150\LocalDB\Binn\Resources\zh-TW\SqlUserInstance.rll.mui	msiexec.exe
File opened for modification	C:\Program Files\Microsoft SQL Server\90\Shared\SqlWriterLogger.txt	sqlwriter.exe

Drops file in Windows directory 37 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e5879af.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI870D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8856.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8903.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI99E2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{57DD331D-84B2-4F36-B041-06F218BD5E76}\ARPIco	msiexec.exe
File created	C:\Windows\Installer\e5879b4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI983A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9906.tmp	msiexec.exe
File created	C:\Windows\assembly\tmp\VQTZAFF8\Microsoft.SqlServer.Types.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\sort00060101.nlp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI973F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA07D.tmp	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\sort00001000.dll	msiexec.exe
File created	C:\Windows\Installer\{57DD331D-84B2-4F36-B041-06F218BD5E76}\ARPIco	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9B9C.tmp	msiexec.exe
File created	C:\Windows\Installer\e5879b6.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8EA2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9A6F.tmp	msiexec.exe
File created	C:\Windows\assembly\GACLock.dat	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9AC1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5879af.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9F73.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB464.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB4F2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB64A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8F4F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9B5B.tmp	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\sort00060101.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9997.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{57DD331D-84B2-4F36-B041-06F218BD5E76}	msiexec.exe
File created	C:\Windows\Installer\e5879b3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5879b4.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{102CB9B1-1129-4008-9374-98DA0E3C2216}	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3492	4128	WerFault.exe	128

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	sqlservr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000ed06fb648d6ef2080000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000ed06fb640000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900ed06fb64000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1ded06fb64000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000ed06fb6400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	sqlservr.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	sqlservr.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\AttributesTableCache = a2a0d0ebe5b9334487c068b6b72699c70000000000000000	sqlservr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	sqlservr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	sqlservr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	sqlservr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	sqlservr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{40700425-0080-11d2-851f-00c04fc21759}\ProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D133DD752B4863F40B14602F81DBE567\PackageCode = "3A61970FFA6DD044A840F2A64DF52FCB"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D133DD752B4863F40B14602F81DBE567\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSSQL.VDI.Client\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40700425-0080-11d2-851f-00c04fc21759}\ = "Microsoft SQL Server Virtual Device Interface for Client"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D133DD752B4863F40B14602F81DBE567\Sql_LocalDB	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D133DD752B4863F40B14602F81DBE567\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{87BC18DF-C8B3-11D5-AE96-00B0D0E93CC1}\ProxyStubClsid32\ = "{87BC18DB-C8B3-11D5-AE96-00B0D0E93CC1}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{87BC18DB-C8B3-11D5-AE96-00B0D0E93CC1}\ = "PSFactoryBuffer"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSSQL.VDI.Server	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{87BC18DB-C8B3-11D5-AE96-00B0D0E93CC1}\ = "IHostDebugDebuggerInstance"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D133DD752B4863F40B14602F81DBE567\ProductName = "Microsoft SQL Server 2019 LocalDB "	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSSQL.VDI.Client.2\CLSID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{87BC18DF-C8B3-11D5-AE96-00B0D0E93CC1}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b5e7a132-a7bd-11d1-84c2-00c04fc21759}\ProgID\ = "MSSQL.VDI.Server.2"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{40700425-0080-11d2-851f-00c04fc21759}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{b5e7a132-a7bd-11d1-84c2-00c04fc21759}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b5e7a132-a7bd-11d1-84c2-00c04fc21759}\InprocServer32\ = "C:\\Program Files\\Microsoft SQL Server\\80\\COM\\sqlvdi.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15A6710FA809042488352E920DEAF393\D133DD752B4863F40B14602F81DBE567	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D133DD752B4863F40B14602F81DBE567\SourceList\Media\1 = "LocalDB;"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{40700425-0080-11d2-851f-00c04fc21759}\VersionIndependentProgID\ = "MSSQL.VDI.Client"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{40700425-0080-11d2-851f-00c04fc21759}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{87BC18E0-C8B3-11D5-AE96-00B0D0E93CC1}\ = "IEnumHostDebugSymbol"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D133DD752B4863F40B14602F81DBE567\SQL_WRITER_LocalDB = "Sql_LocalDB"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSSQL.VDI.Server\CLSID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{87BC18DD-C8B3-11D5-AE96-00B0D0E93CC1}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40700425-0080-11d2-851f-00c04fc21759}\VersionIndependentProgID\ = "MSSQL.VDI.Client"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D133DD752B4863F40B14602F81DBE567\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b5e7a132-a7bd-11d1-84c2-00c04fc21759}\ = "Microsoft SQL Server Virtual Device Interface for Server"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{87BC18DD-C8B3-11D5-AE96-00B0D0E93CC1}\NumMethods\ = "18"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{87BC18DD-C8B3-11D5-AE96-00B0D0E93CC1}\ProxyStubClsid32\ = "{87BC18DB-C8B3-11D5-AE96-00B0D0E93CC1}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b5e7a132-a7bd-11d1-84c2-00c04fc21759}\VersionIndependentProgID\ = "MSSQL.VDI.Server"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSQL.VDI.Client\ = "Microsoft SQL Server Virtual Device Interface for Client"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSQL.VDI.Server\ = "Microsoft SQL Server Virtual Device Interface for Server"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{87BC18DF-C8B3-11D5-AE96-00B0D0E93CC1}\ = "IHostDebugBinary"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSSQL.VDI.Client	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b5e7a132-a7bd-11d1-84c2-00c04fc21759}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{87BC18DC-C8B3-11D5-AE96-00B0D0E93CC1}\ = "IHostDebugServerInstance"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{87BC18DC-C8B3-11D5-AE96-00B0D0E93CC1}\NumMethods\ = "5"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{87BC18DE-C8B3-11D5-AE96-00B0D0E93CC1}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{87BC18DB-C8B3-11D5-AE96-00B0D0E93CC1}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSSQL.VDI.Client.2	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSQL.VDI.Client\CurVer\ = "MSSQL.VDI.Client.2"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{87BC18DD-C8B3-11D5-AE96-00B0D0E93CC1}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{b5e7a132-a7bd-11d1-84c2-00c04fc21759}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{87BC18DB-C8B3-11D5-AE96-00B0D0E93CC1}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\SQL Debugging\\130\\ssdebugps.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D133DD752B4863F40B14602F81DBE567	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b5e7a132-a7bd-11d1-84c2-00c04fc21759}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft SQL Server\\80\\COM\\sqlvdi.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSSQL.VDI.Client\CurVer	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{87BC18DC-C8B3-11D5-AE96-00B0D0E93CC1}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{87BC18DD-C8B3-11D5-AE96-00B0D0E93CC1}\ = "IHostDebugEvent"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSQL.VDI.Server.2\CLSID\ = "{b5e7a132-a7bd-11d1-84c2-00c04fc21759}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{87BC18DC-C8B3-11D5-AE96-00B0D0E93CC1}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{b5e7a132-a7bd-11d1-84c2-00c04fc21759}\InprocServer32	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global\Microsoft.SqlServer.Types,fileVersion="2019.150.2000.5",version="15.0.0.00000000",culture="neutral",publicKeyToken="89845DCD8080CC91",processorArchitecture="MSIL" = 580061004500380044003600750021004f00410069004a0070006b00760021007200670026004e00530071006c005f004c006f00630061006c00440042003e00430079002b00790059004d0058007d0054004100400041002900240045004c00660074007e004e0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40700425-0080-11d2-851f-00c04fc21759}\InprocServer32\ = "C:\\Program Files\\Microsoft SQL Server\\80\\COM\\sqlvdi.dll"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D133DD752B4863F40B14602F81DBE567\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{b5e7a132-a7bd-11d1-84c2-00c04fc21759}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{87BC18DE-C8B3-11D5-AE96-00B0D0E93CC1}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D133DD752B4863F40B14602F81DBE567\Sql_LocalDB_Loc = "Sql_LocalDB"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{40700425-0080-11d2-851f-00c04fc21759}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSQL.VDI.Server\CLSID\ = "{b5e7a132-a7bd-11d1-84c2-00c04fc21759}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D133DD752B4863F40B14602F81DBE567\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{87BC18DC-C8B3-11D5-AE96-00B0D0E93CC1}\ProxyStubClsid32\ = "{87BC18DB-C8B3-11D5-AE96-00B0D0E93CC1}"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2460	Setup.exe
2460	Setup.exe
2460	Setup.exe
2460	Setup.exe
2460	Setup.exe
2460	Setup.exe
2460	Setup.exe
2460	Setup.exe
2656	msiexec.exe
2656	msiexec.exe
2656	msiexec.exe
2656	msiexec.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1028	7zFM.exe
2988	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1028	7zFM.exe
Token: 35	1028	7zFM.exe
Token: SeSecurityPrivilege	1028	7zFM.exe
Token: SeShutdownPrivilege	1548	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1548	msiexec.exe
Token: SeSecurityPrivilege	2656	msiexec.exe
Token: SeCreateTokenPrivilege	1548	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1548	msiexec.exe
Token: SeLockMemoryPrivilege	1548	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1548	msiexec.exe
Token: SeMachineAccountPrivilege	1548	msiexec.exe
Token: SeTcbPrivilege	1548	msiexec.exe
Token: SeSecurityPrivilege	1548	msiexec.exe
Token: SeTakeOwnershipPrivilege	1548	msiexec.exe
Token: SeLoadDriverPrivilege	1548	msiexec.exe
Token: SeSystemProfilePrivilege	1548	msiexec.exe
Token: SeSystemtimePrivilege	1548	msiexec.exe
Token: SeProfSingleProcessPrivilege	1548	msiexec.exe
Token: SeIncBasePriorityPrivilege	1548	msiexec.exe
Token: SeCreatePagefilePrivilege	1548	msiexec.exe
Token: SeCreatePermanentPrivilege	1548	msiexec.exe
Token: SeBackupPrivilege	1548	msiexec.exe
Token: SeRestorePrivilege	1548	msiexec.exe
Token: SeShutdownPrivilege	1548	msiexec.exe
Token: SeDebugPrivilege	1548	msiexec.exe
Token: SeAuditPrivilege	1548	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1548	msiexec.exe
Token: SeChangeNotifyPrivilege	1548	msiexec.exe
Token: SeRemoteShutdownPrivilege	1548	msiexec.exe
Token: SeUndockPrivilege	1548	msiexec.exe
Token: SeSyncAgentPrivilege	1548	msiexec.exe
Token: SeEnableDelegationPrivilege	1548	msiexec.exe
Token: SeManageVolumePrivilege	1548	msiexec.exe
Token: SeImpersonatePrivilege	1548	msiexec.exe
Token: SeCreateGlobalPrivilege	1548	msiexec.exe
Token: SeRestorePrivilege	2656	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	msiexec.exe
Token: SeRestorePrivilege	2656	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	msiexec.exe
Token: SeRestorePrivilege	2656	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	msiexec.exe
Token: SeRestorePrivilege	2656	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	msiexec.exe
Token: SeRestorePrivilege	2656	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	msiexec.exe
Token: SeRestorePrivilege	2656	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	msiexec.exe
Token: SeRestorePrivilege	2656	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	msiexec.exe
Token: SeRestorePrivilege	2656	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	msiexec.exe
Token: SeRestorePrivilege	2656	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	msiexec.exe
Token: SeRestorePrivilege	2656	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	msiexec.exe
Token: SeRestorePrivilege	2656	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	msiexec.exe
Token: SeRestorePrivilege	2656	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	msiexec.exe
Token: SeRestorePrivilege	2656	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	msiexec.exe
Token: SeRestorePrivilege	2656	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	msiexec.exe
Token: SeRestorePrivilege	2656	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1028	7zFM.exe
1028	7zFM.exe
2988	msiexec.exe
2988	msiexec.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe
5044	taskmgr.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 1028	952	cmd.exe	95
PID 952 wrote to memory of 1028	952	cmd.exe	95
PID 1608 wrote to memory of 1852	1608	setup.exe	110
PID 1608 wrote to memory of 1852	1608	setup.exe	110
PID 1608 wrote to memory of 1852	1608	setup.exe	110
PID 1852 wrote to memory of 2460	1852	NDP472-KB4054530-x86-x64-AllOS-RUS.exe	111
PID 1852 wrote to memory of 2460	1852	NDP472-KB4054530-x86-x64-AllOS-RUS.exe	111
PID 1852 wrote to memory of 2460	1852	NDP472-KB4054530-x86-x64-AllOS-RUS.exe	111
PID 1608 wrote to memory of 1548	1608	setup.exe	112
PID 1608 wrote to memory of 1548	1608	setup.exe	112
PID 1608 wrote to memory of 1548	1608	setup.exe	112
PID 2656 wrote to memory of 3856	2656	msiexec.exe	114
PID 2656 wrote to memory of 3856	2656	msiexec.exe	114
PID 2656 wrote to memory of 3948	2656	msiexec.exe	115
PID 2656 wrote to memory of 3948	2656	msiexec.exe	115
PID 1608 wrote to memory of 2988	1608	setup.exe	117
PID 1608 wrote to memory of 2988	1608	setup.exe	117
PID 1608 wrote to memory of 2988	1608	setup.exe	117
PID 2656 wrote to memory of 3588	2656	msiexec.exe	118
PID 2656 wrote to memory of 3588	2656	msiexec.exe	118
PID 2656 wrote to memory of 3588	2656	msiexec.exe	118
PID 2656 wrote to memory of 1492	2656	msiexec.exe	122
PID 2656 wrote to memory of 1492	2656	msiexec.exe	122
PID 2656 wrote to memory of 1184	2656	msiexec.exe	124
PID 2656 wrote to memory of 1184	2656	msiexec.exe	124
PID 2656 wrote to memory of 1184	2656	msiexec.exe	124
PID 4128 wrote to memory of 3872	4128	Game Of 15.exe	129
PID 4128 wrote to memory of 3872	4128	Game Of 15.exe	129
PID 4128 wrote to memory of 2412	4128	Game Of 15.exe	130
PID 4128 wrote to memory of 2412	4128	Game Of 15.exe	130

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\GameSetup.7z
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:952
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\GameSetup.7z"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1028

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2780

C:\Users\Admin\Desktop\GameSetup\setup.exe
"C:\Users\Admin\Desktop\GameSetup\setup.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Users\Admin\AppData\Local\Temp\VSDBA67.tmp\DotNetFX472\NDP472-KB4054530-x86-x64-AllOS-RUS.exe
  "C:\Users\Admin\AppData\Local\Temp\VSDBA67.tmp\DotNetFX472\NDP472-KB4054530-x86-x64-AllOS-RUS.exe" /q /norestart /skipenucheck /ChainingPackage FullX64ClickOnce
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1852
- - F:\75caeb9adb6b63a5787e9873c97c\Setup.exe
    F:\75caeb9adb6b63a5787e9873c97c\\Setup.exe /q /norestart /skipenucheck /ChainingPackage FullX64ClickOnce /x86 /x64 /lcid 1049 /lpredist
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2460
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\VSDBA67.tmp\SqlLocalDB2019\x64\sqllocaldb.msi" -q IACCEPTSQLLOCALDBLICENSETERMS=YES
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\Desktop\GameSetup\GameSetup.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1624 --field-trial-handle=2272,i,17338911640954948469,1637568328132129119,262144 --variations-seed-version /prefetch:8
1⤵
PID:3552

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Registers COM server for autorun
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 677F524CD21959A9526B2BB3B7C35A0D
  2⤵
  - Loads dropped DLL
  PID:3856
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 7B7F8E1B027470C1E65FE7C1F7A93CB5 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:3948
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D9758A441AB3D70D7B8DCBDB77E605EA C
  2⤵
  - Loads dropped DLL
  PID:3588
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1492
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F067A7A0071B739E0EAE9459F137AAA8
  2⤵
  - Loads dropped DLL
  PID:1184

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:5036

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2284

C:\Users\Admin\Desktop\Game\Game Of 15.exe
"C:\Users\Admin\Desktop\Game\Game Of 15.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\sqlservr.exe
  "C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\\sqlservr.exe" -m -K -T1617 -w5 -c -SMSSQL15E.LOCALDB -sLOCALDB#06740375 -d"C:\Users\Admin\AppData\Local\Microsoft\Microsoft SQL Server Local DB\Instances\MSSQLLocalDB\master.mdf" -l"C:\Users\Admin\AppData\Local\Microsoft\Microsoft SQL Server Local DB\Instances\MSSQLLocalDB\mastlog.ldf" -e"C:\Users\Admin\AppData\Local\Microsoft\Microsoft SQL Server Local DB\Instances\MSSQLLocalDB\error.log"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  PID:3872
- C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\sqlservr.exe
  "C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\\sqlservr.exe" -c -SMSSQL15E.LOCALDB -sLOCALDB#84E4152A -d"C:\Users\Admin\AppData\Local\Microsoft\Microsoft SQL Server Local DB\Instances\MSSQLLocalDB\master.mdf" -l"C:\Users\Admin\AppData\Local\Microsoft\Microsoft SQL Server Local DB\Instances\MSSQLLocalDB\mastlog.ldf" -e"C:\Users\Admin\AppData\Local\Microsoft\Microsoft SQL Server Local DB\Instances\MSSQLLocalDB\error.log"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - Checks processor information in registry
  PID:2412
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 1832
  2⤵
  - Program crash
  PID:3492

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4128 -ip 4128
1⤵
PID:1684

C:\Users\Admin\Desktop\Game\Game Of 15.exe
"C:\Users\Admin\Desktop\Game\Game Of 15.exe"
1⤵
- Executes dropped EXE
PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5879b2.rbs

Filesize
1.0MB

MD5
9ee5a07d0270b6a37c67b4bf5031c430

SHA1
096f85c2823f7744341589ae9324cbaa52a14c16

SHA256
e373417dbfd3613d9ab7a6556b4e9276005ee928705255f283611157c1e31b1c

SHA512
004c384ab07e3f369805da73571293ebd58da5529e02674a7bdcf9b2345e9f30bb811cfa7b5c741f319718b11ceffa4af1eae3406f728c4307b707097224f54a

Download Submit
C:\Config.Msi\e5879b5.rbs

Filesize
10KB

MD5
b3c703ee7d0125c836f735f04f098acf

SHA1
570d34172f2e576edc0736cfbf47bb30b3bb1c9a

SHA256
778902fcc31e0664f31d5e1800c060be9b54cd93e22163332c89ec759fa1e7b2

SHA512
c130632051eb9620940c489cf41be14a8fba50e2d106135968df37df43b174a69b3dbcd04c50211c23d58b3b13e035751c1fc3581c71c07cd9fdbb226eecd408

Download Submit
C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\sqlservr.exe

Filesize
611KB

MD5
117803fedcd2ebf4526e73a3e3cdf7e8

SHA1
3d37c0bdbd02e97f50217b1bd660292af3215ee4

SHA256
fd35b5a5714265738df70e5f38bcb090d4400cb561ac3d224b2549cad2fe52c6

SHA512
73866764f235907dd4c9e4eeb710d62d11a0216e599d7e85c0cf0adf5c6e847d331b05ea755051d0d8ae92338a4f1e1fac5fcddada2a69317653b60078a68ba5

Download Submit
C:\Program Files\Microsoft SQL Server\150\Shared\SqlDumper.exe

Filesize
187KB

MD5
7499efe9d70f31217cc79bafcaf233de

SHA1
347c9b6b51dd1be49c0b5a9f8b3a8b1568d53447

SHA256
1ae93c0340ed1b6da3db791bf29cc753be0e6506e3e779538b34b6dc73f6dae5

SHA512
ca8cf62f268626bc0a98c0658c41ff4f9b5deb005ff120cd82a8995552ac25ed15ef5e14e800bc2f7a03df2869c022229b24c6de40446f9f7a326f706af8668c

Download Submit
C:\Program Files\Microsoft SQL Server\150\Shared\instapi150.dll

Filesize
91KB

MD5
e6ae84bc34be6de4340a2b9726f0eeb8

SHA1
7182e7071dbe1308b1e753a3cb04fac5d7fdb938

SHA256
f2b018d326dd8a5808133efb3bf6705cd4e7ba7a98b6f99d095cc4883439b4a9

SHA512
914e3210b736b18839ac8a5d1857e7f3743586509b3de178c4086dd575b5259d37f4cb9190dc2c1ed5ef7d4da380a5d739e22d0937d5afdc33d10c73fef8fc53

Download Submit
C:\Program Files\Microsoft SQL Server\150\Shared\xe.dll

Filesize
711KB

MD5
0e75ec755b86da58fc18fddf0dc3f1c6

SHA1
48d10b8401ea8bd7ae4ad9b492ac404b79496214

SHA256
ce8e39fb593e5ecf6129f2c4f31e5780bd9a3b8154f5dbbd4943a9f4fabe546d

SHA512
977c65b709ae18c335f103926105de13ee876781eec90f3ac180d139cc97589ba2c847390e5709236ca6ce4266afc797521974045239a91075f0b9188f2aa53b

Download Submit
C:\Program Files\Microsoft SQL Server\90\Shared\SqlWriterConfig.ini

Filesize
791B

MD5
8df348df5973558b149bf1db64e9db4f

SHA1
c4464d50bf470af1966cefc3c7ce0e9c768bd2e5

SHA256
8d1717ba488d148edd656e9d17a3b8d8e52734fb8b85daa0b5b1b2c987047cd1

SHA512
30b1bc8b66926007ed399b1a04dad2a0b22838cd518e2fa3bd9e8ce1a47694a95f293cbb50f7168c3440131d015f0ef845be92f812ce396a6eb21678f49bbd28

Download Submit
C:\Program Files\Microsoft SQL Server\90\Shared\SqlWriterLogger.txt

Filesize
2KB

MD5
99cc46d8aba24be00d9da541c4e25cf6

SHA1
ae7be8dddde5c9e99975aef5736c9462018172df

SHA256
90cdbb5cfb7d3e6df969b9c470a02d057b5faabbffba249d969f120798e1f1a5

SHA512
42afcd2b5ef77773a7979080308021a0833254b4eb3cbbe2c93f5ff54f8235f60ee28ec49cd2f6d456d056bb7b32719ec3d937ff9b7293c619bba4db2dde7841

Download Submit
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

Filesize
159KB

MD5
8550a0de5b61a8f81a16aa3bdcdef446

SHA1
26448f9a6d1224647fb09445f667330617cd51cd

SHA256
43717de020db8e3201795e73c05398f3478ce07178c1bcb4e569307af19a6f72

SHA512
354f8deb940d705e3cfe01693d8f637998e2382d73df2589fd2ef23238ba9220f5de9d6d9216614f40c26f0e365ff618f3722ba8b5d5a2e2d856f3f9464306c0

Download Submit
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwvss.dll

Filesize
403KB

MD5
e33967cd68806be3976c04bcc7840b21

SHA1
90beec34bdbd89fbf8e5bb448de62c8711de90b2

SHA256
2c686d3aaa344545492dee5b060fc5c32be32dad17691fc388d83667abaf3cbb

SHA512
8a6e49b45661496049336dc49979cbcea663128df34793833a5aadc9a05c87268e6459ee19f2da86a84b5b7dc910f2029aad7c53cf7fe6ea9d8fa066b5f14a67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Microsoft SQL Server Local DB\Instances\MSSQLLocalDB\tempdb.mdf

Filesize
8.0MB

MD5
33adb3c62f895e23ae7d2045993d0660

SHA1
26c20bcf232f8ee9b62b466c7ac757d9a2bb18ab

SHA256
4444487fbd15e4c54ea0c033b23008f9c1fcca8ffb85e80a96b2d15161c3b5c8

SHA512
950eb4661f92d99e49c1727f0299ae15a55b3ef13a01bbe273588c5573804d492b7ed6ee4b955e77046fb2c57d5e4a6043c7ca5305479205abc1cfc5bd065505

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Microsoft SQL Server Local DB\Instances\MSSQLLocalDB\tempdb.mdf

Filesize
8.0MB

MD5
c306915bcd466e318d6d62c7ed03dfb4

SHA1
e8e2acb74ec2984859c20fac6ef6fbd20696093d

SHA256
dc3200c387155d58fabfa32f89bc0f0ee81f38df9582bc74aa3f00dd8adb5d15

SHA512
5b4d585c38032f274ca97653921378028f12f5222ddc8fbd1e5482ef69e738596c1d3a572b94043623cb37e84ff96257cd012504a2927777fdfa6e8242ede443

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Microsoft SQL Server Local DB\Instances\MSSQLLocalDB\tempdb.mdf

Filesize
8.0MB

MD5
08091b5cd8225f315d2c748f121e4089

SHA1
1f77ceb0e8f61aa33ee0a66336f30dc8d25cf4d2

SHA256
858968355b46b0019d1554596d8c71dc8d6687d3c17474c78468183db621ebed

SHA512
0da583259f94d159cbc004082fbac61df01f9f8dbbc6c39b4f561df63cc8afdeba4ade43de0efe2ec6fc8ec86ef3a624d3fe54a8f8087573c60971dd9a297c5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Microsoft SQL Server Local DB\Instances\MSSQLLocalDB\tempdb.mdf

Filesize
8.0MB

MD5
9b12d2a535e99c227a406a6ee70cebb2

SHA1
f5b496b3cf30921721172cea49410096641faf74

SHA256
5c18357aa047f543c2fff6292f7909b0ecbd6446c75a5289a8514c0446ad0ae2

SHA512
ccf61c7a0ef09d25e807898acf5000dfcf86339533946b8b8c37834b295a284f7382b33da63145afafacd33c91045eba0e6247ec4f8ae79c79d4250169b15a3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Microsoft SQL Server Local DB\Instances\MSSQLLocalDB\templog.ldf

Filesize
504KB

MD5
cf61e359b3901c8a2b7349af35e4e057

SHA1
508e51d6e03c27faff2bfeb43107a1e91743722d

SHA256
b106f2b13cbff2f49d2a1cd71e73f2278628c4649926182c38753126c8cf8a3b

SHA512
9f50aa40492f3baa3a013d2a60417e65d3fdfaa1a1f5c8611e690e073086ea8a8aaf6ffb3527e337a6fdcc63f7032f915c797a5f3c78a73eca12409a2ad74e8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Microsoft SQL Server Local DB\Instances\MSSQLLocalDB\templog.ldf

Filesize
504KB

MD5
66e8783b5a9f7e834ec57059ef9a6f04

SHA1
9e66f29e305524ec023c8f43caa2b625957aecc9

SHA256
b376319ff3fe8228f346b0e992e87ac74a6b00fc13cee42ba0f1415399959f17

SHA512
71cef374c46e22c7da4165080b3f0a67462236b1b36419e63dfa2e5312e8a5fce3b5963fdf3658058e8701a2094f900eb0608eec5935f44a03b615aa7aa7d0d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\HFI5E0A.tmp.html

Filesize
15KB

MD5
cd131d41791a543cc6f6ed1ea5bd257c

SHA1
f42a2708a0b42a13530d26515274d1fcdbfe8490

SHA256
e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb

SHA512
a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC474.tmp

Filesize
298KB

MD5
684f2d21637cb5835172edad55b6a8d9

SHA1
5eac3b8d0733aa11543248b769d7c30d2c53fcdb

SHA256
da1fe86141c446921021bb26b6fe2bd2d1bb51e3e614f46f8103ffad8042f2c0

SHA512
7b626c2839ac7df4dd764d52290da80f40f7c02cb70c8668a33ad166b0bcb0c1d4114d08a8754e0ae9c0210129ae7e885a90df714ca79bd946fbd8009848538c

Download Submit
C:\Users\Admin\AppData\Local\Temp\VSDBA67.tmp\DotNetFX472\NDP472-KB4054530-x86-x64-AllOS-RUS.exe

Filesize
5.5MB

MD5
08d4f9b511f449ba958f787d7c6d9921

SHA1
8eef75bf658e600c8435a7c52e4ff5c74c62b511

SHA256
2e071532bef751bf97cdda25a9de6135b62bae6df0df779333a508f166171c7b

SHA512
c2cd5e2f4ae1fba44e4ec6c124cacadeaa8b9c19eec8defd3c9427a6ef376bcf90582301156b998698659327aa7c26ffbffc37279818ddbee910a06e948e013a

Download Submit
C:\Users\Admin\AppData\Local\Temp\VSDBA67.tmp\SqlLocalDB2019\x64\sqllocaldb.msi

Filesize
53.3MB

MD5
6932a42ea9bc533e892e20dbd09cbe9b

SHA1
84caf4181c2e02d78f7c62b2cd013f84101d256e

SHA256
c96c055af0799cdcc67fc15ed70d862184bd4d4d6f327660abb4f1546a173042

SHA512
3501a065c9b76f95e8f53a49c580ee4598e9e25bb8e608dbf449d8589de57dae392fddb9a6c6a8f07988ab14d5664d2164f0118dc1c75c7f140eb218d36ecae3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Installer\{102CB9B1-1129-4008-9374-98DA0E3C2216}\_12891A4F121BAAA8138717.exe

Filesize
66KB

MD5
b6e4699e0ac39ad2c2ea0e8570cf0410

SHA1
7bca373a4543454391dd75f9fc211f9e8184b1bc

SHA256
9b62c79f1ec80c54e02f0287262e237704ffc175ccaf0eba490eee90bb4c83b3

SHA512
0ae0510e03323733a32940f67f34a1d276389eb2a21f2f256d0651a36714eeb78ed2a83c19006347cff36bfd412a79af10f4714192da24f938df1d24f1b29f9e

Download Submit
C:\Users\Admin\Desktop\GameSetup\GameSetup.msi

Filesize
3.4MB

MD5
ea17c76fa9ac325a9e8aa63c0836c7c8

SHA1
fbfc5131dc6622764741a7d2a21f1c511f0a666f

SHA256
43b5d3a440399fe2d0925c4d2665c69a16dfd1147bf59275f13da8b29d836c2f

SHA512
f0b22cadc60dee32436357f2d0f53bb83c5df1197cdd09deb2fcc4145f8209c439a63136ed4b8a4f45f6d95df5410139932c7be60a5aeb867746675e90e89f0f

Download Submit
C:\Users\Admin\Desktop\GameSetup\setup.exe

Filesize
882KB

MD5
075deb7ebb1e3d565c808c39bd8b2e36

SHA1
eacecfc08f970849983970d1710bb1fea77a632a

SHA256
b9fc44a1d9bc4d8ba99cdf8c4e649f38d5186107e21d7b8d7b36b993f1e56256

SHA512
3e24562c6542849a56438275891e78d113b625bfdf2005b48514d0cd4716a19b74c32e9bccf24832dfcf3eec5bb64d341101cf030296200340c5c6498b556ff8

Download Submit
C:\Windows\Installer\MSI870D.tmp

Filesize
179KB

MD5
7536f266f5e81514ddf08892828fb75d

SHA1
51de1481ff507bff92ef4743327e4b624a15b518

SHA256
7efded652899166032a97c5b5038baa43fc6a34b43e34dfb7d75bf89e636ee01

SHA512
d9fe9f900eea4550898956af0e6b02dab25b82835bc67d773052ae086c48cf1a338ea8e2257ee1734cead5f9c0b134978b0dbd7c18436031af61076777643bb7

Download Submit
C:\Windows\Installer\MSI8856.tmp

Filesize
543KB

MD5
3b30d3307cda374141f24a7279383be1

SHA1
c91f6a4abfb5eb860fceb5d7791d799216789940

SHA256
b02f4471ccf246660a3933a58d3567878bed700e8633c90da723db1e03332138

SHA512
cc53f7ea8899a7393f061b52ecf7024fdce66f0b4c8f46c83255fb83e69db6172493d32b698a005d00a8e6392caf9012cc36e3935ee46ede3069eaf0fafc907a

Download Submit
C:\Windows\Installer\MSI8903.tmp

Filesize
483KB

MD5
e8f3d3917e6d487f8bd2976e697d36fd

SHA1
22be0c773a8c1168dba9884dfdc87700ec39c52e

SHA256
3c69ce314fede99f14acae5dc4e2cb3520c4f05d17a0ca2eb2ef28e7b1e907cd

SHA512
f7369d3de14eaad63473fb715f3739a243b1177f62e70c990cfd87b1fe17fbb77981d971cabe4a18b2975a3df6320cd195180fc79450e48f9f5dffd163cec1d8

Download Submit
C:\Windows\Installer\MSI9906.tmp

Filesize
627KB

MD5
1e78c4f725393afc53b0316549207c51

SHA1
37cb2a7235a35c29feba1014489869588de19c6b

SHA256
bd161c97de1af1984fa7b4b8fa71b501107c284074b69ca1a1808b26dd64ee31

SHA512
e4b58445a22b70c14f5dddf98625c5146b5c8d02133f0e2fbe1f2d2807bba6890e07bc293713b1fcd6f29d792cc6223a1ce22c13b318d17ee541b5877d0d9701

Download Submit
F:\75caeb9adb6b63a5787e9873c97c\1033\LocalizedData.xml

Filesize
80KB

MD5
64767bc621a1e7340b06ce7c3b824948

SHA1
e2c001e6a84d9659e64ddb4952d061c159f0cee5

SHA256
680ef849e3c03088c692f65ccd1bd88c5843077be4256dca61d4aed671927027

SHA512
079653668a6e82429863c52c92d3e94b6e8bf88b2e27006873dd68d1a1bd18246903946f0554d46931d501d3eed682d48608b50606f00c46b5ee50f9f293a8c7

Download Submit
F:\75caeb9adb6b63a5787e9873c97c\1049\LocalizedData.xml

Filesize
84KB

MD5
ec93f69d277d4759272e3fb0ae519289

SHA1
f8f9e55b7053030ee997939c0c694fbbd7ccd108

SHA256
a86c87b4660a5d18d8fd48e2e8d360844cd4b7aa5240e9613a78d6092b2c8295

SHA512
80d538f169689c88b3709818966f2fd9a5be4bfa5b0b6106df650b1ae9b19174c9947c13b4f5ed872ab6b9dc5fa60e4fec21e6e42469db91a0f03c5b182ad6d2

Download Submit
F:\75caeb9adb6b63a5787e9873c97c\ParameterInfo.xml

Filesize
1.1MB

MD5
71b3e64cbd392694b60d38d256949723

SHA1
ac0e758e489ac2e5123c0fd7af37af7d8d259011

SHA256
1db12764afbe4cffb0c77e33fd27c5db3567e5f99b29ada7e1171ee9e2e3bf06

SHA512
be3ef32ebf5969f4c4056fc8b8b7af4f251edccc80ecb910abc911d9517c492045828895553f600033e2d6545a20c0bb8b9a1437ff878c6ad1783dc071e5656c

Download Submit
F:\75caeb9adb6b63a5787e9873c97c\Setup.exe

Filesize
80KB

MD5
5b378d6133955269f9ff9571756e68be

SHA1
6ddc7a4179e092e9e7c5815b87df3e5e6a2b557a

SHA256
622ffbd06c57f0ee5e72f58bbab05780153b9cc8918b784597d7f141597e7f29

SHA512
441644895081905d9edc8c8c7ea9514e94390b89e94b5e94a34080c9efa382e3ff5d6edaea9fe03b7d8e1fcbc62b8e656e638d55940c4408046fa2c7ebc727f0

Download Submit
F:\75caeb9adb6b63a5787e9873c97c\SetupEngine.dll

Filesize
859KB

MD5
62f60fbb153615f0f9854566462afffa

SHA1
b76ac946ae61ef577b12e0165f1ee39c79e05f40

SHA256
80d286407891cd55a6ee0822a9ba85ff9f1ca57e0d71a78049729276ea5f4d38

SHA512
718a5b42c7796eb2b14a26226f2de60bd804960c7c756baf44001d2a7df8faa463deccf9f30a4671c86a2110c225bd4ffad1343ef71a09b471da4132ae7fae19

Download Submit
F:\75caeb9adb6b63a5787e9873c97c\UiInfo.xml

Filesize
35KB

MD5
8ace169bf65675c089e0327d5b1f7437

SHA1
43646e29c878f58ac4b5d7c192d11b3becd9e9f6

SHA256
8f7847cfc9ec70b6758f6fbe9b98809ca7bf8ecb25bf9b3a8e7e052b83dfa94b

SHA512
3e98f8351e96bab4b8cecf93e590c722233d119d7cec76445a0b170f69de647bd65eafeafecc8888573e986b3f80403480728c7a1e014961fbd60dc169ca5db7

Download Submit
F:\75caeb9adb6b63a5787e9873c97c\sqmapi.dll

Filesize
223KB

MD5
0c0e41efeec8e4e78b43d7812857269a

SHA1
846033946013f959e29cd27ff3f0eaa17cb9e33f

SHA256
048d51885874d62952e150d69489bcfb643a5131ce8b70a49f10dfb34832702c

SHA512
e11da01852a92833c1632e121a2f2b6588b58f4f2166339a28dd02dad6af231a2260a7e5fc92e415d05aa65b71e8bbda065e82a2db49bb94b6cf2fe82b646c28

Download Submit
memory/440-828-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/440-823-0x0000000009190000-0x00000000091DC000-memory.dmp

Filesize
304KB

Download
memory/440-822-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/440-821-0x0000000004D30000-0x0000000005084000-memory.dmp

Filesize
3.3MB

Download
memory/440-820-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/440-826-0x000000000A430000-0x000000000A44E000-memory.dmp

Filesize
120KB

Download
memory/440-832-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/440-824-0x00000000091E0000-0x0000000009201000-memory.dmp

Filesize
132KB

Download
memory/440-827-0x000000000A480000-0x000000000A4A2000-memory.dmp

Filesize
136KB

Download
memory/2412-722-0x00007FF97D770000-0x00007FF97E231000-memory.dmp

Filesize
10.8MB

Download
memory/2412-825-0x00007FF97D770000-0x00007FF97E231000-memory.dmp

Filesize
10.8MB

Download
memory/2412-723-0x00000208B0030000-0x00000208B00A6000-memory.dmp

Filesize
472KB

Download
memory/2656-448-0x000001661F350000-0x000001661F3AD000-memory.dmp

Filesize
372KB

Download
memory/3872-721-0x00007FF97D770000-0x00007FF97E231000-memory.dmp

Filesize
10.8MB

Download
memory/3872-631-0x00000185CC730000-0x00000185CC7A6000-memory.dmp

Filesize
472KB

Download
memory/3872-630-0x00007FF97D770000-0x00007FF97E231000-memory.dmp

Filesize
10.8MB

Download
memory/4128-619-0x0000000005E40000-0x0000000005E4A000-memory.dmp

Filesize
40KB

Download
memory/4128-618-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/4128-614-0x00000000005D0000-0x000000000088E000-memory.dmp

Filesize
2.7MB

Download
memory/4128-613-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/4128-615-0x0000000005860000-0x0000000005E04000-memory.dmp

Filesize
5.6MB

Download
memory/4128-616-0x00000000052B0000-0x0000000005342000-memory.dmp

Filesize
584KB

Download
memory/4128-617-0x0000000005350000-0x00000000056A4000-memory.dmp

Filesize
3.3MB

Download
memory/4128-620-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/4128-621-0x00000000097D0000-0x000000000981C000-memory.dmp

Filesize
304KB

Download
memory/4128-622-0x0000000009860000-0x000000000989C000-memory.dmp

Filesize
240KB

Download
memory/4128-623-0x0000000009820000-0x0000000009841000-memory.dmp

Filesize
132KB

Download
memory/4128-819-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/5044-724-0x000002CDBB3A0000-0x000002CDBB3A1000-memory.dmp

Filesize
4KB

Download
memory/5044-725-0x000002CDBB3A0000-0x000002CDBB3A1000-memory.dmp

Filesize
4KB

Download
memory/5044-726-0x000002CDBB3A0000-0x000002CDBB3A1000-memory.dmp

Filesize
4KB

Download
memory/5044-736-0x000002CDBB3A0000-0x000002CDBB3A1000-memory.dmp

Filesize
4KB

Download
memory/5044-730-0x000002CDBB3A0000-0x000002CDBB3A1000-memory.dmp

Filesize
4KB

Download
memory/5044-734-0x000002CDBB3A0000-0x000002CDBB3A1000-memory.dmp

Filesize
4KB

Download
memory/5044-733-0x000002CDBB3A0000-0x000002CDBB3A1000-memory.dmp

Filesize
4KB

Download
memory/5044-735-0x000002CDBB3A0000-0x000002CDBB3A1000-memory.dmp

Filesize
4KB

Download
memory/5044-732-0x000002CDBB3A0000-0x000002CDBB3A1000-memory.dmp

Filesize
4KB

Download
memory/5044-731-0x000002CDBB3A0000-0x000002CDBB3A1000-memory.dmp

Filesize
4KB

Download