83a5f942b2a15eab4826ef1709ec6a7f9637a7ec0fce16585776848797307fa4

Resubmissions

01/06/2024, 12:34

240601-pr8azadc55 1

01/06/2024, 12:28

240601-pnbslacd3x 5

Analysis

max time kernel
288s
max time network
281s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 12:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MinecraftInstaller.exe
Size

32.3MB
MD5

4f02ac057355b5dc73ea28aecd2d56b4
SHA1

32591cb75779a3e308a44e75a76f821e7dee11e0
SHA256

83a5f942b2a15eab4826ef1709ec6a7f9637a7ec0fce16585776848797307fa4
SHA512

9eb08f85559df6af9192bec8904097d4e43a832ba9e9cc1c7be1a366af8d103c3a6db3886f00927ae5eb62055fbc770c7b5a3d2a122a0b460b51136083015368
SSDEEP

393216:nbekuyo9nMK50UGRXLePuq2ZWy/c5zFviMKe2OHmwv9CsTmsueFFza9ye:6Zn/G4Gqk1cWe2iTVCMue3E

Score

5^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	MinecraftInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	GamingRepair.exe

Drops file in System32 directory 44 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\gameflt.inf_amd64_25b1fe3637126834\gameflt.cat	DrvInst.exe
File created	C:\Windows\system32\xgameruntime.dll	GamingServices.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{44a658aa-126a-7840-baf8-9ff125e9e573}\SETBCF5.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{44a658aa-126a-7840-baf8-9ff125e9e573}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\system32\gamelaunchhelper.dll	GamingServices.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{44a658aa-126a-7840-baf8-9ff125e9e573}\SETBCF5.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\gameflt.inf_amd64_25b1fe3637126834\gameflt.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5a4d6ea5-1d23-5847-a860-0f63fada25b6}\SETB785.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5a4d6ea5-1d23-5847-a860-0f63fada25b6}\xvdd.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\gameflt.inf_amd64_25b1fe3637126834\gameflt.sys	DrvInst.exe
File created	C:\Windows\system32\gameconfighelper.dll	GamingServices.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5a4d6ea5-1d23-5847-a860-0f63fada25b6}\xvdd.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\gameflt.inf_amd64_25b1fe3637126834\gameflt.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{44a658aa-126a-7840-baf8-9ff125e9e573}\SETBCF4.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{44a658aa-126a-7840-baf8-9ff125e9e573}\gameflt.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\gameflt.inf_amd64_25b1fe3637126834	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5a4d6ea5-1d23-5847-a860-0f63fada25b6}\SETB785.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5a4d6ea5-1d23-5847-a860-0f63fada25b6}\SETB7A5.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5a4d6ea5-1d23-5847-a860-0f63fada25b6}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{44a658aa-126a-7840-baf8-9ff125e9e573}\SETBCF4.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{44a658aa-126a-7840-baf8-9ff125e9e573}\SETBCE4.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{44a658aa-126a-7840-baf8-9ff125e9e573}\SETBCE4.tmp	DrvInst.exe
File created	C:\Windows\system32\xgamecontrol.exe	GamingServices.exe
File created	C:\Windows\system32\gamingservicesproxy_4.dll	GamingServices.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5a4d6ea5-1d23-5847-a860-0f63fada25b6}\xvdd.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5a4d6ea5-1d23-5847-a860-0f63fada25b6}\SETB7A6.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\xvdd.inf_amd64_59b4347e90e3996c\xvdd.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{44a658aa-126a-7840-baf8-9ff125e9e573}\gameflt.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\gameflt.inf_amd64_25b1fe3637126834\gameflt.cat	DrvInst.exe
File opened for modification	C:\Windows\system32\xgameruntime.dll	GamingServices.exe
File created	C:\Windows\system32\xgamehelper.exe	GamingServices.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5a4d6ea5-1d23-5847-a860-0f63fada25b6}\SETB7A5.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5a4d6ea5-1d23-5847-a860-0f63fada25b6}\SETB7A6.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{44a658aa-126a-7840-baf8-9ff125e9e573}\gameflt.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\gameflt.inf_amd64_25b1fe3637126834\gameflt.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\system32\gameplatformservices.dll	GamingServices.exe
File created	C:\Windows\system32\gamingtcuihelpers.dll	GamingServices.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\xvdd.inf_amd64_59b4347e90e3996c\xvdd.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\xvdd.inf_amd64_59b4347e90e3996c\xvdd.inf	DrvInst.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	GamingRepair.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	GamingRepair.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	pnputil.exe
File opened for modification	C:\Windows\inf\oem4.pnf	DrvInst.exe
File opened for modification	C:\Windows\inf\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	GamingServices.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Executes dropped EXE 2 IoCs

pid	Process
2976	GamingRepair.exe
3564	GamingRepair.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5528	sc.exe

Registers COM server for autorun 1 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0ACBC224-E08F-4B42-8723-B451584D6969}\InProcServer32\ = "C:\\Windows\\system32\\gamingservicesproxy_4.dll"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0ACBC224-E08F-4B42-8723-B451584D6969}\InProcServer32\ThreadingModel = "Both"	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FBA5170-10C4-4185-89E3-2D8389223563}\InProcServer32	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FBA5170-10C4-4185-89E3-2D8389223563}\InProcServer32\ = "C:\\Program Files\\WindowsApps\\Microsoft.GamingServices_21.89.21001.0_x64__8wekyb3d8bbwe\\InstallServicePlugin.dll"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FBA5170-10C4-4185-89E3-2D8389223563}\InProcServer32\ThreadingModel = "Both"	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0ACBC224-E08F-4B42-8723-B451584D6969}\InProcServer32	GamingServices.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	GamingServices.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	GamingServices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	GamingServices.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	GamingServices.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	GamingServices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	GamingServices.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	GamingServices.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	GamingServices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	GamingServices.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	GamingServices.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	GamingServices.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	GamingServices.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	GamingServices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GamingRepair.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	GamingRepair.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	GamingRepair.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GamingRepair.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GamingRepair.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	GamingRepair.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	GamingRepair.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	GamingRepair.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{BAEE68FB-2B54-4DE3-BECC-4FF62E89ABAF}\ApplicationFlags = "1"	GamingServices.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property	GamingServices.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{BAEE68FB-2B54-4DE3-BECC-4FF62E89ABAF}	GamingServices.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{BAEE68FB-2B54-4DE3-BECC-4FF62E89ABAF}\DeviceId = "0018400F87E523C5"	GamingServices.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{BAEE68FB-2B54-4DE3-BECC-4FF62E89ABAF}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb010000005e39aa2276da854a8b9333102729428b000000000200000000001066000000010000200000008088d08770f9ac50bed6bfd6f7d234160a4026c0e28e696340526f2a9a2e6773000000000e80000000020000200000006d515308a11e0ddd49429947acf44147b5d8cba230d4191d6e248e75349fd494b0030000d94a3182bd52f6dfe57604310a1aa0df18554fa31b7d8b8bc5c5e7bd6dd89a571927dad90817db68d2fd8aaa0d3fedb52f914879341956851246cab139f7d31b7745600474a3bb497d1b4e49ae691727ae6a7b8453a5a764088c0df531c4a97f31cb7f9cc66f3cf0a09975af99451d1bba857c74477cdedd583f629e79b41d1fde81b2ee3bdd5af4429e0d5b156d27e71b3e6bc65727fa634b5d5e78417fbe6be36751b0b0f00871b466c1815eabb9e01a6483907c7782f0dbfd1c7c9483dea892101e8a62da8803ace6369b07183109b66fe8cf04c5fc16e9a137f4a3d356ac04f2cbbb56b5434768a0b47b6c7e8a2417a11ad3267f35f972ff124a8613c517cd198db9baea691404a1ae931c44adfc8e029e89281f37ba2f93e6d87a0d2fb005b79e8ff223cce7c3ad0998fb21d6d7622855bab9e9eb1dca590f7f7e1a77c19eb1b5fbb704c4b963d3d6b96e85e365a818da634ff303cdb4cd7ab43b9394106f58a527fa7b6793170ca8024caa1cab6f2a1aa1ad6f6ef1cf9474e9e33b5ddcdff975883e211e0e047ff34b7b3530a647916e825d75a310acdf66ec074c14f34957978dbc83dca59ea34342db5c200706a93e0863f272e04fa7e4275ad1ed07d248899189f24eb7a81bdbaacab5b8651395549a21d8671d0b305b9376e91f0dc8839926f7c6132ea77ffdbd198a0e33b1b27e80ade0597c54169f90e8c35ebc83c0c77b20c08227c584224056ab585e28d6f26d50fbcc7095e9c16d4412c9ed5d18291fe940bc8d10b196112bdb2d641c10fab5c7dcc594128ad885c91f055383704e219d30d3a568b1a14a474bc9464946788960ada93be741b640135d125ba754a8cdc25367632fc30f5d1256eb1699ee7b00dfd2a2d753104075a54c8d475382bc29aacf674ccdb74bea84cc9c78cbbb41cd8861e6ea501f930d021a9a8061fdcd342284a3c51f7ec3a0143e452c36d2dcee71b8a6f48cb486c4c486dc25a06bd108a4216888fb72a229101777a16d83901f6e70cafd83b6f4348bb19f229f78e89f7d991fc992db0c7d10ccef930a6a969c2005bfac059be8bca94b11b706bab66d2f3d2b9cc8a231b081609f44eab315ec9bf061012eb37cd8782be72edd4500b6c00d62a9680a2172a2a61b927f09330c3d656c2c002afe8db750ff161a4da2a7c3e59dae8ee02bb8e52b1b7e486c2de5f0861008adbd7832db13632914b9fdd427f93d40a16eac6b1794b3c26fc94e82f85a4ae84155eb823cc4e994801804efdbb0f6e313a7627f0134fad3c5b680e9495e4cda61898a7f142cba6f34b4842b9536653569c90cf0c0c447a7400000000bb654313c88b6b624ae63c7f8e46a19cc0cc213b866b6045acc6beaa8b256dfd77a3fc1e86da94a634d362f76091e1d269971cfc8763ca18318cfcec0011744	GamingServices.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CE3E855-E7D0-4B3A-8C65-867C37739E45}\ProxyStubClsid32\ = "{0ACBC224-E08F-4B42-8723-B451584D6969}"	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{51CFF62E-8DBF-43FF-94EF-AC6236A248EF}	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5d3910a4-74e0-4cf1-bfad-50b1c6522cfa}	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4DAB5B8-A025-4A72-84AC-7FE45C6E5456}	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6593254-0EA2-4938-8D62-7B353395126A}\LocalService = "GamingServices"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{268d0fdf-ac77-4a6f-a524-eddea6cae1e9}\ = "GamePlatformUser"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{516CF1AD-972B-454E-BAAD-44063CE034B8}\ = "IEnumGamePlatformPackageSpecifiers"	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7E118543-2CA9-49D9-80F4-255B76E3D84E}	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F29BCE54-1E43-48E0-AC77-382337B080C7}\ProxyStubClsid32	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B8040B92-21EA-48C3-882B-45B69FF04AF4}\ProxyStubClsid32\ = "{0ACBC224-E08F-4B42-8723-B451584D6969}"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9291ed54-b88c-556f-b870-49a901ac529d}\ProxyStubClsid32\ = "{0ACBC224-E08F-4B42-8723-B451584D6969}"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E97EABA8-9BCD-4930-992E-2ADC66176817}\LocalService = "GamingServices"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{862A26A8-2D87-4D8E-8E6B-17DB48B8234D}\LocalService = "GamingServices"	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8A27D3CE-19F3-4CE7-8E51-CBBDC8DEE291}	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ddacfd60-1b49-4657-bafc-e062b6e1e7a2}\ = "IUserStateChangedArgs"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6f070d63-df98-4865-ad33-809b89dcf0ef}\ = "IUsersSkuSpecificServerConnection"	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{efe11087-73c4-4916-aede-3090618123b9}\ProxyStubClsid32	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3AC85287-EEC3-40C4-B86A-853CDCCC0559}\ProxyStubClsid32	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{483DCCC8-BEF4-4268-9F88-82D758F22B62}\ProxyStubClsid32\ = "{0ACBC224-E08F-4B42-8723-B451584D6969}"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C54E80C6-8A29-4CE4-B259-630F735CF8B6}\ = "IGameCorePackageService_V5"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{846A35A8-E4C9-4C4D-AC26-1B425AA218C6}\ProxyStubClsid32\ = "{0ACBC224-E08F-4B42-8723-B451584D6969}"	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6ce4ed0e-055e-4818-aa61-37d734d093b7}	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B8040B92-21EA-48C3-882B-45B69FF04AF4}\ = "IXGameSaveNameQuery"	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{516CF1AD-972B-454E-BAAD-44063CE034B8}	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8c287778-d681-5cc4-8b71-7beb22a83c21}\ProxyStubClsid32\ = "{0ACBC224-E08F-4B42-8723-B451584D6969}"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1CD4BEF6-AEB3-41D7-ABBC-61C35CCBD4AD}\LocalService = "GamingServices"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6593254-0EA2-4938-8D62-7B353395126A}\AppId = "{2964DB41-BAE4-4996-A0A0-D036BFFDC267}"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{42A916AC-911D-47DB-8676-8862EC17CC54}\AppId = "{2964DB41-BAE4-4996-A0A0-D036BFFDC267}"	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{390f4bd8-3660-409e-8faf-dacdb440a0ee}	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{115E6AF7-8620-4B0E-A9B1-4CA958B8A24D}\ = "IXGameSaveReadHandler"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F48B00E-45A9-435B-B458-2FFC8FC3AF9E}\SynchronousInterface\ = "{AD6FF479-E54E-4786-AC2A-10D35C5B93A7}"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{710318A4-861A-4599-9DA2-50C84EE59ED8}\AppId = "{2964DB41-BAE4-4996-A0A0-D036BFFDC267}"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A54D7505-C0B4-4B6C-9060-41D7D67B40EB}\ProxyStubClsid32\ = "{0ACBC224-E08F-4B42-8723-B451584D6969}"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B5323F02-4DB5-4442-BD09-FD78E0F61CEB}\ProxyStubClsid32\ = "{0ACBC224-E08F-4B42-8723-B451584D6969}"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4CDEE6B-7333-4CD1-BB77-8F2E520C36FB}\ = "IGameCorePackageIo_V3"	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E652A68A-88A2-45BF-8D2E-7404278C7F8A}\ProxyStubClsid32	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3E8C9ABE-9226-4609-BF5B-60288A391DEE}\ = "InstallServiceProgressHandler"	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C0947C0-A113-47D8-ACC2-1F3FB425EA88}	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D657678E-9088-4EDD-A39F-234AAF6BEBFF}\ = "IGameCorePackageIo_V2"	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F3DD6FF-DA47-4AD4-860A-CBA6276C3EF7}	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B8040B92-21EA-48C3-882B-45B69FF04AF4}\ProxyStubClsid32	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{a446b764-c16f-5f41-a237-07935f2473a7}	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{f2746100-46b0-45c1-8403-9bafe4253fa9}	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9040DF33-5862-4B1F-872A-2FB54951A60E}\ProxyStubClsid32	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29EF372A-D438-4FAF-A173-8E109B0F675E}	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20851EC4-DFB8-4708-A87D-E428532E583A}\ProxyStubClsid32\ = "{0ACBC224-E08F-4B42-8723-B451584D6969}"	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D87D2D74-150C-4498-875F-3FA375B079AE}	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{090795DB-989B-4625-B397-083D85066042}\ = "IEnumGamePlatformStoreId"	GamingServices.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{2964DB41-BAE4-4996-A0A0-D036BFFDC267}\LaunchPermission = 010014806400000070000000140000003000000002001c000100000011001400040000000101000000000010001000000200340002000000000018000b000000010200000000000f0200000001000000000014000b00000001010000000000010000000001010000000000050a00000001020000000000052000000021020000	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DEA688F3-0625-45AB-AF1A-EFCF9BB440F6}\LocalService = "GamingServices"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5FB9AC1-AD68-45C5-B7EB-6F2498AEFAA7}\AppId = "{2964DB41-BAE4-4996-A0A0-D036BFFDC267}"	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AEBF8959-5F3F-408B-9A60-436F5E97A46A}	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AEBF8959-5F3F-408B-9A60-436F5E97A46A}\ = "IEnumGamePlatformPackageRecipes"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{01958D59-8ABB-4DB9-B8B7-17345BE2E9FF}\ = "IGameCorePackageService_V9"	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A2EE83-73B2-416D-88F4-4BC1B1FE996D}	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6F4C14F1-68A8-4DAC-93CA-AC4BD6A2F91C}	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19BE86F3-3A39-4FB9-9B68-2C51ACB6509F}	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3AC85287-EEC3-40C4-B86A-853CDCCC0559}\ProxyStubClsid32\ = "{0ACBC224-E08F-4B42-8723-B451584D6969}"	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{01958D59-8ABB-4DB9-B8B7-17345BE2E9FF}\ProxyStubClsid32	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7819FFCA-EFF3-45AD-B95A-810DADD84AAB}	GamingServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8c287778-d681-5cc4-8b71-7beb22a83c21}\ProxyStubClsid32	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{e67d6fbc-a1cf-56c1-b374-9043bc3c5c58}\ProxyStubClsid32\ = "{0ACBC224-E08F-4B42-8723-B451584D6969}"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A54D7505-C0B4-4B6C-9060-41D7D67B40EB}\ = "IPackageLaunchIdentifier"	GamingServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FACCFDC4-ED66-4EFF-8F00-AA1374E4499D}\ = "PackageLaunchIdentifier"	GamingServices.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5752	sdiagnhost.exe
5752	sdiagnhost.exe
4284	sdiagnhost.exe
4284	sdiagnhost.exe
5764	GamingServices.exe
5764	GamingServices.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	1088	MinecraftInstaller.exe
Token: SeSecurityPrivilege	432	wevtutil.exe
Token: SeBackupPrivilege	432	wevtutil.exe
Token: SeSecurityPrivilege	3824	wevtutil.exe
Token: SeBackupPrivilege	3824	wevtutil.exe
Token: SeSecurityPrivilege	2532	wevtutil.exe
Token: SeBackupPrivilege	2532	wevtutil.exe
Token: SeSecurityPrivilege	5268	wevtutil.exe
Token: SeBackupPrivilege	5268	wevtutil.exe
Token: SeDebugPrivilege	5752	sdiagnhost.exe
Token: SeDebugPrivilege	4284	sdiagnhost.exe
Token: SeSecurityPrivilege	5528	sc.exe
Token: SeManageVolumePrivilege	5828	svchost.exe
Token: SeAuditPrivilege	4784	svchost.exe
Token: SeSecurityPrivilege	4784	svchost.exe
Token: SeLoadDriverPrivilege	4788	DrvInst.exe
Token: SeLoadDriverPrivilege	4788	DrvInst.exe
Token: SeLoadDriverPrivilege	4788	DrvInst.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4392	msdt.exe
1088	MinecraftInstaller.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 2976	1088	MinecraftInstaller.exe	101
PID 1088 wrote to memory of 2976	1088	MinecraftInstaller.exe	101
PID 2976 wrote to memory of 4392	2976	GamingRepair.exe	102
PID 2976 wrote to memory of 4392	2976	GamingRepair.exe	102
PID 2976 wrote to memory of 432	2976	GamingRepair.exe	103
PID 2976 wrote to memory of 432	2976	GamingRepair.exe	103
PID 2976 wrote to memory of 3824	2976	GamingRepair.exe	105
PID 2976 wrote to memory of 3824	2976	GamingRepair.exe	105
PID 2976 wrote to memory of 2532	2976	GamingRepair.exe	107
PID 2976 wrote to memory of 2532	2976	GamingRepair.exe	107
PID 2976 wrote to memory of 5268	2976	GamingRepair.exe	110
PID 2976 wrote to memory of 5268	2976	GamingRepair.exe	110
PID 2976 wrote to memory of 5784	2976	GamingRepair.exe	113
PID 2976 wrote to memory of 5784	2976	GamingRepair.exe	113
PID 5784 wrote to memory of 5936	5784	wscollect.exe	116
PID 5784 wrote to memory of 5936	5784	wscollect.exe	116
PID 5784 wrote to memory of 5992	5784	wscollect.exe	117
PID 5784 wrote to memory of 5992	5784	wscollect.exe	117
PID 2976 wrote to memory of 6128	2976	GamingRepair.exe	118
PID 2976 wrote to memory of 6128	2976	GamingRepair.exe	118
PID 2976 wrote to memory of 2992	2976	GamingRepair.exe	120
PID 2976 wrote to memory of 2992	2976	GamingRepair.exe	120
PID 2976 wrote to memory of 4424	2976	GamingRepair.exe	122
PID 2976 wrote to memory of 4424	2976	GamingRepair.exe	122
PID 2976 wrote to memory of 3948	2976	GamingRepair.exe	124
PID 2976 wrote to memory of 3948	2976	GamingRepair.exe	124
PID 2976 wrote to memory of 1164	2976	GamingRepair.exe	127
PID 2976 wrote to memory of 1164	2976	GamingRepair.exe	127
PID 2976 wrote to memory of 876	2976	GamingRepair.exe	129
PID 2976 wrote to memory of 876	2976	GamingRepair.exe	129
PID 2976 wrote to memory of 536	2976	GamingRepair.exe	131
PID 2976 wrote to memory of 536	2976	GamingRepair.exe	131
PID 2976 wrote to memory of 4368	2976	GamingRepair.exe	133
PID 2976 wrote to memory of 4368	2976	GamingRepair.exe	133
PID 2976 wrote to memory of 5132	2976	GamingRepair.exe	135
PID 2976 wrote to memory of 5132	2976	GamingRepair.exe	135
PID 2976 wrote to memory of 5184	2976	GamingRepair.exe	137
PID 2976 wrote to memory of 5184	2976	GamingRepair.exe	137
PID 2976 wrote to memory of 2532	2976	GamingRepair.exe	139
PID 2976 wrote to memory of 2532	2976	GamingRepair.exe	139
PID 2976 wrote to memory of 5312	2976	GamingRepair.exe	141
PID 2976 wrote to memory of 5312	2976	GamingRepair.exe	141
PID 2976 wrote to memory of 5388	2976	GamingRepair.exe	163
PID 2976 wrote to memory of 5388	2976	GamingRepair.exe	163
PID 2976 wrote to memory of 5456	2976	GamingRepair.exe	145
PID 2976 wrote to memory of 5456	2976	GamingRepair.exe	145
PID 2976 wrote to memory of 5492	2976	GamingRepair.exe	147
PID 2976 wrote to memory of 5492	2976	GamingRepair.exe	147
PID 2976 wrote to memory of 5560	2976	GamingRepair.exe	149
PID 2976 wrote to memory of 5560	2976	GamingRepair.exe	149
PID 2976 wrote to memory of 5632	2976	GamingRepair.exe	151
PID 2976 wrote to memory of 5632	2976	GamingRepair.exe	151
PID 4284 wrote to memory of 1288	4284	sdiagnhost.exe	161
PID 4284 wrote to memory of 1288	4284	sdiagnhost.exe	161
PID 4284 wrote to memory of 5528	4284	sdiagnhost.exe	164
PID 4284 wrote to memory of 5528	4284	sdiagnhost.exe	164
PID 4284 wrote to memory of 5504	4284	sdiagnhost.exe	165
PID 4284 wrote to memory of 5504	4284	sdiagnhost.exe	165
PID 4284 wrote to memory of 5560	4284	sdiagnhost.exe	166
PID 4284 wrote to memory of 5560	4284	sdiagnhost.exe	166
PID 5560 wrote to memory of 5656	5560	net.exe	167
PID 5560 wrote to memory of 5656	5560	net.exe	167
PID 4784 wrote to memory of 4324	4784	svchost.exe	182
PID 4784 wrote to memory of 4324	4784	svchost.exe	182

C:\Users\Admin\AppData\Local\Temp\MinecraftInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\MinecraftInstaller.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Users\Admin\AppData\Local\Temp\GamingRepair.exe
  "C:\Users\Admin\AppData\Local\Temp\GamingRepair.exe" scenarioMinecraft
  2⤵
  - Checks computer location settings
  - Checks system information in the registry
  - Executes dropped EXE
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\system32\msdt.exe
    "C:\Windows\system32\msdt.exe" /id WindowsUpdateDiagnostic /skip TRUE
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:4392
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" epl Microsoft-Windows-AppXDeploymentServer/Operational C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\Microsoft-Windows-AppXDeploymentServer_Operational.evtx /ow:true
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:432
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" epl Microsoft-Windows-AppXDeployment/Operational C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\Microsoft-Windows-AppXDeployment_Operational.evtx /ow:true
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3824
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" epl Microsoft-Windows-AppxPackaging/Operational C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\Microsoft-Windows-AppxPackaging_Operational.evtx /ow:true
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2532
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" epl Microsoft-Windows-AppModel-Runtime/Admin C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\Microsoft-Windows-AppModel-Runtime_Admin.evtx /ow:true
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5268
- - C:\Windows\system32\wscollect.exe
    "C:\Windows\system32\wscollect.exe" C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\wscollect_gr.cab
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5784
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SIH" "C:\Users\Admin\AppData\Local\Temp\registry_SIH.txt" /y
      4⤵
      PID:5936
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe export "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DnsPolicyConfig" "C:\Users\Admin\AppData\Local\Temp\registry_DNSPolicy.txt" /y
      4⤵
      PID:5992
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" export "HKLM\Software\Microsoft\GamingServices" C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\HKLM_GRTS.reg /y
    3⤵
    PID:6128
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" export "HKCU\Software\Microsoft\GamingServices" C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\HKCU_GRTS.reg /y
    3⤵
    PID:2992
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" export "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel" C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\HKCU_AppModel.reg /y
    3⤵
    PID:4424
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel" C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\HKLM_AppModel.reg /y
    3⤵
    PID:3948
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx" C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\HKLM_Appx.reg /y
    3⤵
    PID:1164
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" export "HKCU\SOFTWARE\Classes\ActivatableClasses\Package" C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\HKCU_Package.reg /y
    3⤵
    PID:876
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" export "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\HKLM_WuPolicy.reg /y
    3⤵
    PID:536
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" export "HKLM\SYSTEM\CurrentControlSet\Services\GamingServices" C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\GS_Service.reg /y
    3⤵
    PID:4368
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" export "HKLM\SYSTEM\CurrentControlSet\Services\GamingServicesNet" C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\GSNet_Service.reg /y
    3⤵
    PID:5132
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" export "HKLM\SYSTEM\CurrentControlSet\Services\GameFlt" C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\GameFlt_Service.reg /y
    3⤵
    PID:5184
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" export "HKLM\SYSTEM\CurrentControlSet\Services\Xvdd" C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\Xvdd_Service.reg /y
    3⤵
    PID:2532
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" export "HKLM\SYSTEM\CurrentControlSet\Services\XblAuthManager" C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\XblAuthManager_Service.reg /y
    3⤵
    PID:5312
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" export "HKLM\SYSTEM\CurrentControlSet\Services\XblGameSave" C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\XblGameSave_Service.reg /y
    3⤵
    PID:5388
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" export "HKLM\SYSTEM\CurrentControlSet\Services\GameInput Service" C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\GameInput_Service.reg /y
    3⤵
    PID:5456
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" export "HKLM\SYSTEM\CurrentControlSet\Services\DoSvc" C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\DoSvc_Service.reg /y
    3⤵
    PID:5492
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" export "HKLM\SYSTEM\CurrentControlSet\Services\InstallService" C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\InstallService_Service.reg /y
    3⤵
    PID:5560
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" export "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\wuauserv_Service.reg /y
    3⤵
    PID:5632
- C:\Users\Admin\AppData\Local\Temp\GamingRepair.exe
  "C:\Users\Admin\AppData\Local\Temp\GamingRepair.exe" scenarioMinecraft
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  PID:3564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3948 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:2688

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5752

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Windows\system32\sfc.exe
  "C:\Windows\system32\sfc.exe" /scanfile=C:\Windows\system32\Qmgr.dll
  2⤵
  PID:1288
- C:\Windows\system32\sc.exe
  "C:\Windows\system32\sc.exe" sdshow bits
  2⤵
  - Launches sc.exe
  - Suspicious use of AdjustPrivilegeToken
  PID:5528
- C:\Windows\system32\bitsadmin.exe
  "C:\Windows\system32\bitsadmin.exe" /reset /allusers
  2⤵
  PID:5504
- C:\Windows\system32\net.exe
  "C:\Windows\system32\net.exe" start bits
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5560
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start bits
    3⤵
    PID:5656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:5388

C:\Windows\system32\svchost.exe
"svchost.exe"
1⤵
PID:4236

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:6016

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5828

C:\Program Files\WindowsApps\Microsoft.GamingServices_21.89.21001.0_x64__8wekyb3d8bbwe\GamingServices.exe
"C:\Program Files\WindowsApps\Microsoft.GamingServices_21.89.21001.0_x64__8wekyb3d8bbwe\GamingServices.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Registers COM server for autorun
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5764
- C:\Windows\System32\pnputil.exe
  C:\Windows\System32\pnputil.exe /enum-drivers
  2⤵
  PID:612
- C:\Windows\System32\pnputil.exe
  C:\Windows\System32\pnputil.exe /delete-driver oem4.inf /force
  2⤵
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:3092

C:\Program Files\WindowsApps\Microsoft.GamingServices_21.89.21001.0_x64__8wekyb3d8bbwe\GamingServicesNet.exe
"C:\Program Files\WindowsApps\Microsoft.GamingServices_21.89.21001.0_x64__8wekyb3d8bbwe\GamingServicesNet.exe"
1⤵
PID:5272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Windows\TEMP\{06e0ccca-8113-0a4f-8180-7b1d6c81a401}\xvdd.inf" "9" "4a00da8d3" "000000000000014C" "Service-0x0-3e7$\Default" "0000000000000164" "208" "C:\Program Files\WindowsApps\Microsoft.GamingServices_21.89.21001.0_x64__8wekyb3d8bbwe\drivers"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4324
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "1" "0" "SWD\XvddEnum\XvddRootDevice_Instance" "" "" "48fe919b3" "0000000000000000"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4788
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Windows\TEMP\{b390e07e-1418-2d48-84a1-0d049f94181e}\gameflt.inf" "9" "400170357" "0000000000000160" "Service-0x0-3e7$\Default" "0000000000000178" "208" "C:\Program Files\WindowsApps\Microsoft.GamingServices_21.89.21001.0_x64__8wekyb3d8bbwe\drivers"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:1364
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\gameflt.inf_amd64_25b1fe3637126834\gameflt.inf" "0" "400170357" "0000000000000170" "Service-0x0-3e7$\Default"
  2⤵
  - Drops file in Windows directory
  PID:3448
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "5" "2" "C:\Windows\System32\DriverStore\FileRepository\gameflt.inf_amd64_25b1fe3637126834\gameflt.inf" "0" "4b9547ee7" "000000000000015C" "Service-0x0-3e7$\Default"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\2560293460\2024060112.000\BITSDiagnostic.debugreport.xml

Filesize
4KB

MD5
1fcff590ba2f022813ad1a382985fbd4

SHA1
0dc711a4263960923a95f2d0f9730b449498b26b

SHA256
1fba49facbd5c2fae97300d576bb92585bdbd6f40ac06860a864166eca68fb5a

SHA512
cbb1f03d73ab5ead77bae3d60b7b638e53ff0f65b4826fc390a5921a1ef0bd59f7ed7b48d3772a5e8041ec3680500a56c619fc2a60234edb294255496348540f

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\2560293460\2024060112.000\NetworkDiagnostics.debugreport.xml

Filesize
1KB

MD5
b8db9019f05fb835cd6f73f0587701b2

SHA1
d5f96a48ed51746a65d64fbdfbcc17d88a80e1bf

SHA256
249af2261d1a409c2049e84245df747475f2823c039df26f585ec9e36eec9a4b

SHA512
149de3a38760d4e71964dab03d58da37255c4262c1c29822de668dbf97ff49505150294fc7d49e683c2c380a0ce2765d1c8355d3f56cb74e58710e0ae10e5ece

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\2560293460\2024060112.000\ResultReport.xml

Filesize
2KB

MD5
2fee628cda63f597c6420e572a075ba5

SHA1
0378df2a7574d88e3e4daddd05de526bb358a499

SHA256
987422c4a3f250ba6d3dfb27e34e2030626478961e3ed1de7157b6b50dfa43e2

SHA512
eb72596e5b8b221b4b6cf93738c9ade974d15c12076307d0b530d9652423d61c19ec83261a19fed28d76001fcadc1a702d0b6adfe5a92ef8e49c7b56dd7ec2e2

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\2560293460\2024060112.000\WindowsUpdateDiagnostic.debugreport.xml

Filesize
16KB

MD5
1c1121258010043c786b9c31a5ecc2c1

SHA1
0d861afd29b0e4a3087efc4e540d49103277696c

SHA256
3a131c885cd6468391000259ae84af9728056ab7b3171a182c4701a4d8974789

SHA512
005c290fff38e0876d8ec9a0971123c14cc5d359f5e2569b3f0419cc4bee5a45cea4b9bd25df90170adf0479951a7502bd2df716340a0c4faa4b183b53a0985e

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\2560293460\2024060112.000\results.xsl

Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sdiagnhost.exe.log

Filesize
6KB

MD5
515d08b2749d645867dee4b6d9715fcd

SHA1
45889db740370f1b12f7e4af2a9367eaf62ca9a1

SHA256
6d38f729dbb2f9e7edfddcff5417483fc9b42b0e98f90324bbe3b94870b7869c

SHA512
1981b27b927795da3704ea7aea7d2d0e1e38d68db88f9abb5df22ffdef2341e83b0fc3f6de9ccb533375378a0a06040fa67eb32d1871003e8425c77511878159

Download Submit
C:\Users\Admin\AppData\Local\MinecraftInstaller\deviceId.txt

Filesize
36B

MD5
89581532ad49e901f2edd31b10f43bde

SHA1
9cc3420fe77d9b867030a8cfa31c6ca0bf8849cd

SHA256
d2e4cb8fc971c66a6f580fe7448f0d70e8027dff2234f5cbb7162987bdde04f7

SHA512
bf1006cbf96c349a16dcfd8aea3ee10ed856e1a2cbfe7977cf8090867fa3c02c8d9f927bae28c62f087585df8e272683e54233e811d319dc933a0015ae91ce43

Download Submit
C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\GamingRepair1.etl

Filesize
512KB

MD5
89f811af97d88f659db3db24f9c6569b

SHA1
60c3294ed90dbf688dfb1d7fe159aea9209783ba

SHA256
15f9479b9fe0f9d40a6207bad3cfcfdb25fc2f55a1f02006000ad43ccb549f86

SHA512
b477c53018fdfbdc255979115fab8cd2ed6ee4199ede4cecd2e40ef84c6abb60f622e5413c87c3dfcd00118899a57e707c1a0b7ddb527c2e91c1422c867b93b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\HKCU_Package.reg

Filesize
11KB

MD5
f49563d76df012597d2a0aca26cce903

SHA1
a84e80136ff7ece1644744ee8dad22cc17c973d5

SHA256
9d86704756123ab2270ac885542a0c0e8edff00f9e622c46c823addbbe42561d

SHA512
0d19c0304e84732494a4853c3a6383e32ff6eb429e2b64c6c145c60ea034e2dc3da789f15452ae017850074e3765c24b92fab87447dfa54d069dd8ec7ab178fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DiagOutputDir\GamingRepair\WerLogs\wscollect_gr.cab

Filesize
599KB

MD5
4c2a24c759da6f939794694e249013ec

SHA1
e6ae93b6f1f0efbb938a0d3650e8acbe719e1e7c

SHA256
3b587b6371d16c6bfaaa735148d3417047741f6f226028fe1d3f6af7f43c6eb0

SHA512
67ad1134d75d6024172d86b594caae6bb4defdd66a9fdcae0ee82d326f070dc945b9e26dbefc15576681bbf1a90a87949bfeb3ea33cc646da0922f51c21e616a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GamingRepair.exe

Filesize
557KB

MD5
8a4e72a29c08ae2cd13bc8ec414b8fc6

SHA1
26f8d73bc6f5ace5cec6e3652fc6410a71298498

SHA256
6513546697c3c9deb50d8dbb0cc9aa0be55487538ed482ec16b6264579de1539

SHA512
77eba566c65de1327bcacadb1483f538b4e5da67c3607398d745173ade25e987f59524a5ecf065dd5f95e26654cbb5a48dc80fae995d5d2dd63c63b2cd98fb98

Download Submit
C:\Users\Admin\AppData\Local\Temp\REGD3A7.tmp

Filesize
6KB

MD5
12164fc754bec671a839744c9911f849

SHA1
88bfab00f332da897161de5efba0ef00b1920053

SHA256
fced139357066fffbc1625ef6957800d10cbbd1ac34fbc544a7f579518a71ffa

SHA512
2e612d32e9a543e7fc4e8cd57ea73ce748abd91459b5ca1d6e1df2cbd938dd4d542ad82ed85507fc35a631fed07961af4c7a84098f666aaffc25be814a01fea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\REGD6C3.tmp

Filesize
598B

MD5
dbb043123f8b0d35466b217415d8806a

SHA1
8d9c3f974e892d7e09763b0eba736deed788f0fc

SHA256
15a0bf608e6f3374a2d3263869e477fb192c5bda9a35648744feae2a856f08d5

SHA512
0d759f2fb501093de2df54a8b5220522505fa0a7418e676b4ba76036391c88f49131580cdf910d45cd7fca90ea1588740611724e8a79758a1580c519680bde39

Download Submit
C:\Users\Admin\AppData\Local\Temp\REGD721.tmp

Filesize
551KB

MD5
6acc5ed3ad514db31af67324cd389a11

SHA1
a8c224cbf5042a2c21911adf4bf319dba0cece02

SHA256
63770522103755e7119830fb9e47667cb80312da4135697923aa433afa02f5ad

SHA512
bf76f1660dfc44bdfba326640125a9f51d587a4da0279e6ad43301885e585286a7479cfeaad5cd2825ab7ca76af5b81959c438bb67aa347e529446c09032e40a

Download Submit
C:\Users\Admin\AppData\Local\Temp\REGD83A.tmp

Filesize
4.3MB

MD5
f5f57277bd8eacf424450214fbac4b3f

SHA1
f055a7849a95751175e51c2a7be1f4bfeb901f90

SHA256
4b3a066be46bd5d9fd9aa31e3c931b73c4c0d10ac41c8f2c8da0847637ecfe24

SHA512
2e88ad4b912fa9d49b697c31ebaa6514266c569303b8964f74640d93422898b6bce422a5aa204fd866640e7b38d8c5a34d4682e12725564d2b73a4a57dfc5190

Download Submit
C:\Users\Admin\AppData\Local\Temp\REGDD7A.tmp

Filesize
420KB

MD5
a2903a22386a4a614be3de0c8044963b

SHA1
eb42141f7c160374b453dfc3a98f4848575b49bf

SHA256
0dd925b2bcd2e1ae77781fe2cc5bc720b2950de5e5df01549da7d943d474acd5

SHA512
7406f6b16d132d947f47975a39698b1956c8ff03550542a14ebef7570289f99a9abd8504d18b75ce39d9bd31598fe6231f2f004e619a37f4e3051d0b5038372b

Download Submit
C:\Users\Admin\AppData\Local\Temp\REGDF10.tmp

Filesize
740B

MD5
5b20f739acefbfc6237c04f216466883

SHA1
738af05cf8a177e14726ae4c4affc6d9b94da6a1

SHA256
f787f543d052d4000d007bdcd71bb6b7024293f2ad2d543b02b4121b1da3ebf8

SHA512
c82cf736af02ffe5e76b88d802e7800787826bbe5cbc59b64b4f77f9ff1168f9ed43a9c68e3a9d13407e38f16822755660d359b42ae339d0d2bac754f192651f

Download Submit
C:\Users\Admin\AppData\Local\Temp\REGE162.tmp

Filesize
3KB

MD5
f90a03d152e8202c3eb57c6e6eb710a8

SHA1
cab5b11304ebbb9a1ca9c191fbc737082bcb49b9

SHA256
89eb956a0ac5a7ebd558eaaebe485c87c40c47baf1954b272b26b0b8724a6352

SHA512
2e3e8c359ee1b97e5a01aff6192fd39236f14cd75812fb9ec2488e938c52db294c859062d89b84f6593d3c492d310fe6b514df235b52dec189e7b62e02bd86fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\REGE1DF.tmp

Filesize
3KB

MD5
cca36a379e81a944c607e4f4d544c565

SHA1
d09aef7d6cf0bd140f121a85ae2b92307119db89

SHA256
8975303228de2bf10d7a55bfbd591bce14e4a124910265eefbeb58229347268c

SHA512
8a851c8054c694dcf0b942550de764915f0c860277f910fa0fa6d66962f7e6c7a7c8498a0abd55e51e6725fb585820a957c079351883429242e4c0abf7f79158

Download Submit
C:\Users\Admin\AppData\Local\Temp\REGE25C.tmp

Filesize
4KB

MD5
9a6b92b10fa585333d0291ac3d87537f

SHA1
9536e72a6f059ff86deaefac6676305fdb23530b

SHA256
713b38ef078f28703e15256cb30ccdf5e496256f9b0e92768d0a63be39c3e825

SHA512
28605010c1a45e8d08e1b4ab82a697694ed977213902707a03f6da0570b37cfdba00002e29ad072273d3353e18200d763e2f05cc504c36fec53778288ad5691a

Download Submit
C:\Users\Admin\AppData\Local\Temp\REGE2D9.tmp

Filesize
3KB

MD5
79d558a3f5a649a98ac348ed8a0bf6dc

SHA1
5cc1a6a3339b3104af499a8d44fc426d54021e85

SHA256
23237d250e185d524d26dbdc6ce16adffa9a0b65af35fefac3bf0d01004d5bd5

SHA512
6ff24db910fd94551806670d922c31802e4f49dc68e1fc31d33cae1269822c6324563672804f0eb8fccaf2191281d860f74f243b0effcb844ebb3ec8044f85d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\REGE337.tmp

Filesize
10KB

MD5
b0223e1939178bf83ef084f4d98d27fa

SHA1
5d1b1aaa0e159fb6ab3370c473f38c7910b28663

SHA256
beb092700ad0e8e12c2d46c23b5f56c78fccdf25291f92fbf9f56f205f59f10d

SHA512
707d24203e0adeaa521d62f3e7b4bf4b73f17849294a7f33e8dc89d563c942a7cebc08bbd1d55d9ca3d46be835983e9310386c2339cea930a50ee862f97f01d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0pmi40gn.jk1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\registry_DNSPolicy.txt

Filesize
270B

MD5
edcaaed49057b04d804ef38622dcfeca

SHA1
200458ae3a380983860136acca9b18d62c5bac76

SHA256
b9532ca922a984f207d3a82499308fa038e1d78169b534b8d7fc116aefe5a05e

SHA512
052065767b3bf96cf1314dd8c42940ace0d256eb7f536de0b642f5816dc0b5e6db3ce9a10450e9564b7c932e9261a9d78ca7929a4537646cbf7d5ee8c363b5fb

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
19KB

MD5
0830651197cff2f51eccafa381a34b79

SHA1
cb6f4b2700f04b3be3770fa117c95a239450a814

SHA256
86cc95f53228028097d53500f7422e30f18254fc3f914b9a971662f8ccda4fee

SHA512
32501437e3ae0113c2b07273635b723feb3fe1ff059fb59d97a8f0bb7e7bf0cb8802df4d7a5ac8fe28e82ab3b2e2576751a7c3a8fdbfa0df2e9a1a512f676f67

Download Submit
C:\Windows\System32\DriverStore\Temp\{44a658aa-126a-7840-baf8-9ff125e9e573}\SETBCE4.tmp

Filesize
11KB

MD5
793989c73db1ed24a218f045ef43e2ad

SHA1
f9b0deb8bfbd884093bbe25e0200f460bc98917e

SHA256
158f89b26732c9a49abc5efbf38643a17c525826cde2447bfc386db0b15315eb

SHA512
ce3ca3a4f66b36abe8c23cf94059da297bfbba0c8e0d9df5ddf0356072f9778dd5b992c7e1bce2b2ebde77a652338522dc0b871779594eb3a7582dfde3740b79

Download Submit
C:\Windows\System32\DriverStore\Temp\{44a658aa-126a-7840-baf8-9ff125e9e573}\SETBCF4.tmp

Filesize
2KB

MD5
1ec0263011cb6d0b6069c3255abc5adb

SHA1
1ca79cc432cbda91380cabe67a740c5a408462ae

SHA256
d9a7d1c495660c0b7eaba6fd57d759e387be7f291aeceed6b5e8bad28063659b

SHA512
111f65003fabdaac578488e22a30bc7a232650541f138b5847c08cad9ff55b96af1b138f27f84602764aee258a3145c7fa486db2bc0833519c0155a270b84c79

Download Submit
C:\Windows\System32\DriverStore\Temp\{5a4d6ea5-1d23-5847-a860-0f63fada25b6}\SETB7A6.tmp

Filesize
635KB

MD5
227b4dfd1c5387cbcf2a6411383180cd

SHA1
19d8cda9d5ecd84ecd7b3d0cf348f2ac900533d6

SHA256
fe0ec65c0c6a9b87039ecc2cb8e08b3151395f6d50a02fdb9dac80493a2e21d6

SHA512
b78b7afc5a6e016fcb254dfe76be9558c2ce5614bd9ab1d0e8e63b52c7f3ea3bae21f9c7feae3aa5fb16b5edf75a95e6a8390bebbaae8bb137adb94bad77c976

Download Submit
C:\Windows\TEMP\SDIAG_3fd1bb7a-29f2-4464-913f-9364079224d3\CL_Registry.ps1

Filesize
19KB

MD5
59f9534a3feb830e121a5bf4fda24454

SHA1
5230558a975b173fea29f65d982ffc34c96c4d14

SHA256
c0f1f9e9e9171ec757dce8cf57c0b4091fa74680571c1ff58537a2050a1e9132

SHA512
2f026e2bfa48788c2a2ffcd191f6f30cf6df78a1bcfcd602cc26c3823903c7c4dbe36f4cd2a6b38310ddeb9dc2510c11b51c708b98aab1d5c4df0cfe5a5957f9

Download Submit
C:\Windows\TEMP\SDIAG_3fd1bb7a-29f2-4464-913f-9364079224d3\RC_BITSACL.ps1

Filesize
1KB

MD5
d3791a156a0a606073c82a150f49287c

SHA1
2a08755e81c6b6fdc9123bec2dfb7849ef809479

SHA256
9bc95705bf1b51f20c603bd48ef5c0fbe0646f1f265161246613852455d7235d

SHA512
409c9f2917ad9f0d92923c839962c9cddab8a641ff60f07176ab4800f0af9c9060c0c4fe976af31cb138fbdc2047bf2a2bdca74115c344e886848321c0f267b3

Download Submit
C:\Windows\TEMP\SDIAG_3fd1bb7a-29f2-4464-913f-9364079224d3\RC_BITSDLL.ps1

Filesize
2KB

MD5
12d667b11912eecb9732500d4c943ee7

SHA1
22473792d3de8ed3669fa89710c34ce377a980b5

SHA256
ed07487d7de3ae2793e40ffd62ee0aa20131807757d41c4306b8d47849efd49d

SHA512
651673533260afe3c513a43a0680e647ea040dbc7e07382308eb192a07bd77084841da0e66c9df312450451a934587803a890a88de6c734d5254aaddd6c9fb35

Download Submit
C:\Windows\TEMP\SDIAG_3fd1bb7a-29f2-4464-913f-9364079224d3\RC_BITSRegKeys.ps1

Filesize
5KB

MD5
4749314e61791f525f2b74a9654647bf

SHA1
23fca013110dc9b7699228fbd51856bd6ee43943

SHA256
1f64b5578accea26927bc18eb926c1a1f8331563e8a14b4512e5b7f2f9219c25

SHA512
59a12c936e2bffc2272f7393d9f87a2c35228dd11d388e1d16c6de85a5e3d783a792f392d99fd32a754c3a7afba56a304bdc87da8c11408000892d2e7b862db6

Download Submit
C:\Windows\TEMP\SDIAG_3fd1bb7a-29f2-4464-913f-9364079224d3\TS_Main.ps1

Filesize
1KB

MD5
9400d4eb8fc7ebc84b4c5eca2423f815

SHA1
cc5cd42fc4b942ddc435417cfcd294d1dcc5b0c5

SHA256
4d9ee2f37025e6e87ae01ec98b6f6e19f53d5763f7955bf0d2a01973403802a8

SHA512
b9f2dafb9f8b5319fd09a0bc95a3981e0b6aea456163f3dbf82d9d6a35e2d932decf375a4fe730e766f2f6cac19fa177f3f6156c79958919b6e3224bbfbea57d

Download Submit
C:\Windows\TEMP\SDIAG_3fd1bb7a-29f2-4464-913f-9364079224d3\cl_Service.ps1

Filesize
10KB

MD5
bce5918b3d28bcfd3ecec630a51df80a

SHA1
301d7b6b6b9ad37ccd5b6450c2f9a181854ed2c3

SHA256
21b1e44e981315ebda2a671eca3c4b1d5d4262583dc72a355f2584f26b535fb5

SHA512
961ff9674454ae02ea09e83cf8192599db2123e0af9594d086e591df3717e62eaee1dc679d15f754266ab1e11f7a3a6520458754ddddfb51a2fef48a6f4199cf

Download Submit
C:\Windows\TEMP\SDIAG_3fd1bb7a-29f2-4464-913f-9364079224d3\en-US\CL_LocalizationData.psd1

Filesize
816B

MD5
b0020e1643a6b53e7e888ed5f6ef3b3d

SHA1
f8b61228028bb9abb3fd79d45f8e8d35c2e24d24

SHA256
2b44ca7ad580ed3da81ce04c3458a580d3c61e4192c81d56bf637bbb3c5d6067

SHA512
559678ab23506fa81a810814f9948322555d9a793f8558682cccf287676682ecf31fafb69f8bc18e5e3546c8d7e379c8a1cccdb93baea1402bbdabb4c69f8b48

Download Submit
C:\Windows\TEMP\SDIAG_f449f13d-5f53-40e3-9c63-769be310e7b4\CL_SetupEnv.ps1

Filesize
5KB

MD5
4ddf0c498640c370e1784e79f0fdac92

SHA1
b51b2181f848e37750ef4990f541fc101a3fbccb

SHA256
9077f7333d2a6e2128964b82ee75d852eb8254b3f859fdc8f351d276c9cbc97d

SHA512
223d07ff369f89ff26d141b25f1c94d5f03772a61b2afd6e95c465ce49bb0588a708c3d4646c38173f71c0e2b38d50158a7dd4075ec9184c29e6d5eeb4f34555

Download Submit
C:\Windows\TEMP\SDIAG_f449f13d-5f53-40e3-9c63-769be310e7b4\CL_Utility.ps1

Filesize
3KB

MD5
1214973d075474ef5b2f6e146228790e

SHA1
e7aad84340db77b0b83a7d0ef34ecbc71ca17b55

SHA256
6facc78db7bd38aa4d0064f860f3b3e1a371549625b09177e291f723e938f147

SHA512
1f748cf98f1cf4fbc30e3d56b7e68c3ef592a2d8e900d5fd4a7890065b61bde9b3db07344c70c4fb0ee8e9482e3732783fe8f808fbdd28cc960fa2d54d689e56

Download Submit
C:\Windows\TEMP\SDIAG_f449f13d-5f53-40e3-9c63-769be310e7b4\RC_Pendingrestart.ps1

Filesize
960B

MD5
fbe432569a75e8d646b5fd3d14b70deb

SHA1
23fae396480a8cdaa4705372947cfd89b6dca2c1

SHA256
128f5a8a0df3549175f6a80d38d97a42f9086425ecb191e9965f97dd2590608e

SHA512
6a89f3fc9d5259e32a18c0bac50296d2dfa4d1308900da5941dd874e72252f2259302acac9b2263a38a9b7bd851d805c48e4b6741e92f6bfc8f12fd4284489d9

Download Submit
C:\Windows\TEMP\SDIAG_f449f13d-5f53-40e3-9c63-769be310e7b4\RC_WaaSMedic.ps1

Filesize
1KB

MD5
0ad285ba852ea709534ee7fbf6a95c1d

SHA1
f23115c60b3a64f02f66693e8f620a0b5b34d7d3

SHA256
298f6d37ae210dcee4381c94b7df8b1c7b43afdc9c170bffc876e135e722c251

SHA512
c963a0499916dc9702d1c43b852b4454aff50988b57c5beb241ba1a5ecf7196d9af02b46ec0b7c799b920791c0d6729243c62406a241f4afd8ff5a86e611aa3d

Download Submit
C:\Windows\TEMP\SDIAG_f449f13d-5f53-40e3-9c63-769be310e7b4\RS_WaaSMedic.ps1

Filesize
854B

MD5
d4bd18bfdef6ca9973dcc42cc4ec38e8

SHA1
3d0116d1851a07fd89d3a214f7bf348cc0bc56c0

SHA256
4498d08d45c60c6b9185adea9fa253ffc2bd31ec1e6e17af0728707863336cac

SHA512
eac45d818a2d704a31958b0aa205cac842c63d8d256e810423fa5c584fc4a6826fc4be6861046214ebc10bc71860ede00504b0ff0a6b5dbc8a8c3e8af495d717

Download Submit
C:\Windows\TEMP\SDIAG_f449f13d-5f53-40e3-9c63-769be310e7b4\TS_Main.ps1

Filesize
3KB

MD5
9f73b819ca1f285afb1531ce8d255fd8

SHA1
a1e6377b540a26b7a3f79d0cdf645f5bce292b8c

SHA256
1a7e22f7e0d45ab58b965b5adbed5f5c53d4d7a98feb01a956cf5f052868cb84

SHA512
7f3f538486a7f2f894999dc1202906caf13bc0e810ea849529304f4a66a9fa9c33f607ba85c061b8c89125a1725dc43d68cab3eb614ab8aa91159cd65726b3f2

Download Submit
C:\Windows\TEMP\SDIAG_f449f13d-5f53-40e3-9c63-769be310e7b4\TS_Main.temp

Filesize
22B

MD5
45f5076ac79538b8b83479365e72c9c4

SHA1
4d6f86e15cf4e57d6646c6c50b4a91b41266a489

SHA256
a86ea51993103ca1a38d16123ab7c262af9c9dd2d3fead64d9610cf82b509de2

SHA512
3255edce2ff5ca552abe5eb43fac0d4bd5267004d1642520b5d48c938926f4d8285360c6254318c6e84ab2cb835f579765e4f87714e0f560d570a99d11f8e0eb

Download Submit
C:\Windows\TEMP\SDIAG_f449f13d-5f53-40e3-9c63-769be310e7b4\cl_Service.ps1

Filesize
4KB

MD5
e9c7251335c9fd0da44321fc4355d429

SHA1
9376085dda11223ce09844216721c29c1ebc394b

SHA256
7c8d05cf9d82729e24e371a8ad9f8d47c191bf7980bce9e3abe3d8986268d9ab

SHA512
397513ba1eb1a4dfdc0c8f2b91c1307cad847179cfd77acdd9bd5fa3ee9d7980fadbc946b457e7e1c22c96398901d090f2b27305a81da4d5695d881c01a173d0

Download Submit
C:\Windows\TEMP\SDIAG_f449f13d-5f53-40e3-9c63-769be310e7b4\cl_windowsupdate.ps1

Filesize
13KB

MD5
a33c56824341bd79927a2d2fc687e58c

SHA1
094ce6d8f3cd8372df2d8ac6f4b88d8a35f519eb

SHA256
0e5c9cac5b2697acb2ee059fac8189be9aafc244e99b41566c009d6528ec7175

SHA512
b548beb024b437c3d75eccfc4f4343b68b1f30ee024f0749a24c8d0c53f4ea0b1b41685bf502d6700bd240f2ffc23cde0e9feb90ca6d1fe96a28ee4435ab19f9

Download Submit
C:\Windows\TEMP\SDIAG_f449f13d-5f53-40e3-9c63-769be310e7b4\en-US\CL_LocalizationData.psd1

Filesize
1KB

MD5
9f445f0aecd769bdbf01880fa071e3bd

SHA1
f5c1d9df0c788c56e443ce725e5f25b55a29c44b

SHA256
123c59ba4994b75f4be87ecbe8083bd65fe4186defe2df09eb879b33bd5ed800

SHA512
86d63bc8e21c6a69cf93a227f8430c0017c1346787dc07f6e55e13fa29037f0c69bcc13783e3ea3adb3f7568a1f923c54f05e8377f393477e8b7b613156ea0d0

Download Submit
C:\Windows\TEMP\{06E0C~1\xvdd.cat

Filesize
11KB

MD5
b4ec3c04aec7ee59f7f44d709a73ddf3

SHA1
011b07d856593c16994335c275ed1774da9e7e85

SHA256
980317512122c6dc4e0cd3981c3b72baafc66356556833d948fa5a17907d0b47

SHA512
1a4f62266688b6cc1c983358bb7998bd8f579f223f395a5d072a20ab74c6d11fd28ad00149b287e16cf42b1fa55176048c9cccdd897538f960a6c04efef8ba90

Download Submit
C:\Windows\TEMP\{06e0ccca-8113-0a4f-8180-7b1d6c81a401}\xvdd.inf

Filesize
1KB

MD5
341f6fdf816c51fe702997cc4cf06b08

SHA1
223fd0fcc96a0f7dfad8581011939c44a0686132

SHA256
e92776e03c5d7f7d408232d7b8a780b4b3d86ab4b5a833d66f59c8a2d9e2c959

SHA512
64773a898e5d4446682813366634166d975a6f551ca2643e6f0fc097ede8faab828233f83cd6565539562d882304103ce1215a20f6138b38c9842c85b4403a2b

Download Submit
C:\Windows\TEMP\{B390E~1\gameflt.sys

Filesize
163KB

MD5
ec55ff59890db29d01aea48070a62266

SHA1
76ecbd14b6b0e6dc143e6e7cb51e4e4a12875899

SHA256
1657a5c6ae6674d8d7f0534d1b5d729f7253a78935decf9cdb2f6c41098bc6ef

SHA512
4b933d5c596707dc7c4da0981839c8307cb52e6aa12f382a4a15ac0a74602ce4d3bb1587350ecc680ff18c0785c9ab8265d402c4ca8b2864cd3a3a484ec67620

Download Submit
C:\Windows\Temp\SDIAG_091c0bee-efac-4375-995f-0a5fc77631bf\DiagPackage.dll

Filesize
478KB

MD5
580dc3658fa3fe42c41c99c52a9ce6b0

SHA1
3c4be12c6e3679a6c2267f88363bbd0e6e00cac5

SHA256
5b7aa413e4a64679c550c77e6599a1c940ee947cbdf77d310e142a07a237aad2

SHA512
68c52cd7b762b8f5d2f546092ed9c4316924fa04bd3ab748ab99541a8b4e7d9aec70acf5c9594d1457ad3a2f207d0c189ec58421d4352ddbc7eae453324d13f2

Download Submit
C:\Windows\Temp\SDIAG_091c0bee-efac-4375-995f-0a5fc77631bf\en-US\DiagPackage.dll.mui

Filesize
17KB

MD5
44c4385447d4fa46b407fc47c8a467d0

SHA1
41e4e0e83b74943f5c41648f263b832419c05256

SHA256
8be175e8fbdae0dade54830fece6c6980d1345dbeb4a06c07f7efdb1152743f4

SHA512
191cd534e85323a4cd9649a1fc372312ed4a600f6252dffc4435793650f9dd40d0c0e615ba5eb9aa437a58af334146aac7c0ba08e0a1bf24ec4837a40f966005

Download Submit
C:\Windows\Temp\SDIAG_3fd1bb7a-29f2-4464-913f-9364079224d3\DiagPackage.dll

Filesize
77KB

MD5
fc7504df42668c2918657d1b9a3102c9

SHA1
5f9a70a31678e2e8b9a10849ea8657702d0cb53d

SHA256
159c4d4621f4ce1f4da14246401d85a00b40c0090fd0b2640446a896127ac646

SHA512
c844f9e5ba72eddc6aca73e09214bf8372ee5676124077983b78b10b9830a5e5eabd9c9fff2650858836f995ea79b1f0502609a428797b838ac7cda3f627c0da

Download Submit
C:\Windows\Temp\SDIAG_3fd1bb7a-29f2-4464-913f-9364079224d3\en-US\DiagPackage.dll.mui

Filesize
4KB

MD5
2ad9d1abe41ad048186f196b58fd8e9a

SHA1
d9c66f6ef89ad126ef2bbb36e0bcf6fc8a0e34af

SHA256
9b9acb69e01f79160d368cdcd8a4dc81f18da6398f920b6f663938171f5f718c

SHA512
4c4e1e5bbe173dfd37c65fff64a029883b2f719a360a9f5ee0772b304a518839605528b97b1ac0319b79a6d7f284767ad6c04b3b769559e2b14600c467947d61

Download Submit
C:\Windows\Temp\SDIAG_f449f13d-5f53-40e3-9c63-769be310e7b4\DiagPackage.dll

Filesize
77KB

MD5
458bc0d439cb0d955120ae319c6ed91b

SHA1
b8899daffcbf912462d7e089d126d664c1a40216

SHA256
9454ec899ff78ff14c4c5137ba23d99dfaba079c629afd790640d0f07724201c

SHA512
fda4a2641db70fabc10d73dc28dc13f3b85140a382e032fa7a46abd5eb72e076f96794ccbc0f344a0cc88222fe27ee527a3587eed286e3e3db338824950369c0

Download Submit
C:\Windows\Temp\SDIAG_f449f13d-5f53-40e3-9c63-769be310e7b4\en-US\DiagPackage.dll.mui

Filesize
6KB

MD5
84d58b706a4a16e582a140f72110b7f5

SHA1
bb7a3f254dde61f948417eabdc5a0883d102d873

SHA256
4b012aeaa40324691c6af926d5bb27409232fe8c484fd295d64925fc36f31060

SHA512
9f520c9d00586d9fb8a87b904d75616ca18b6dc3badd1db71ee85236a6bba459d56eee6ba29ae8cd2139fda8e5df961b232ad87a17fb4dbe61dd4422d804c508

Download Submit
memory/1088-11-0x0000000008CF0000-0x0000000008CFE000-memory.dmp

Filesize
56KB

Download
memory/1088-0-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

Filesize
4KB

Download
memory/1088-8-0x000000000B420000-0x000000000B428000-memory.dmp

Filesize
32KB

Download
memory/1088-9-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/1088-6-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/1088-5-0x0000000008630000-0x0000000008638000-memory.dmp

Filesize
32KB

Download
memory/1088-3-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/1088-28-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/1088-2-0x0000000007770000-0x0000000007932000-memory.dmp

Filesize
1.8MB

Download
memory/1088-1-0x00000000009A0000-0x00000000029F6000-memory.dmp

Filesize
32.3MB

Download
memory/1088-17-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/1088-16-0x0000000008910000-0x0000000008936000-memory.dmp

Filesize
152KB

Download
memory/1088-15-0x0000000008610000-0x000000000861A000-memory.dmp

Filesize
40KB

Download
memory/1088-13-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/1088-10-0x000000000C760000-0x000000000C798000-memory.dmp

Filesize
224KB

Download
memory/1088-12-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

Filesize
4KB

Download
memory/5752-527-0x0000013FB6F60000-0x0000013FB6F82000-memory.dmp

Filesize
136KB

Download
memory/5828-848-0x000001AEC8350000-0x000001AEC8351000-memory.dmp

Filesize
4KB

Download
memory/5828-847-0x000001AEC8240000-0x000001AEC8241000-memory.dmp

Filesize
4KB

Download
memory/5828-846-0x000001AEC8240000-0x000001AEC8241000-memory.dmp

Filesize
4KB

Download
memory/5828-844-0x000001AEC8210000-0x000001AEC8211000-memory.dmp

Filesize
4KB

Download
memory/5828-828-0x000001AEBFEA0000-0x000001AEBFEB0000-memory.dmp

Filesize
64KB

Download
memory/5828-812-0x000001AEBFDA0000-0x000001AEBFDB0000-memory.dmp

Filesize
64KB

Download