Analysis
-
max time kernel
86s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-uk -
resource tags
arch:x64arch:x86image:win10v2004-20240802-uklocale:uk-uaos:windows10-2004-x64systemwindows -
submitted
21-09-2024 14:30
Static task
static1
Behavioral task
behavioral1
Sample
gameguard_setup.msi
Resource
win10v2004-20240802-uk
General
-
Target
gameguard_setup.msi
-
Size
7.7MB
-
MD5
68bd8f9af44479db013a77c806f1c674
-
SHA1
0cbb2b63c78b42e13b1818964bb2cf43e46c5052
-
SHA256
ac9ac5a95273064ba09af8be049124ba52db7a59075d69a94d12427917dbc376
-
SHA512
991f703293b984beeeda44cc72cacc0cd69bd4cb1856b2b1c5cf2a2d06d7f58e8469af70c2ecece05d98643937c52f8a944b9892e2925738457d2ac238867852
-
SSDEEP
196608:mELpCPNYnYCCJLuMo3nmkmKf+GNI1Xjn5CD9ilxw:fLpCVY7CtuMo2kmcNmsiLw
Malware Config
Signatures
-
Blocklisted process makes network request 5 IoCs
Processes:
msiexec.exemsiexec.exeflow pid process 4 4012 msiexec.exe 6 4012 msiexec.exe 14 4012 msiexec.exe 42 4644 msiexec.exe 45 4644 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
acsvc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation acsvc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
gameguard.exegameguard.exegameguard.exepid process 4968 gameguard.exe 4968 gameguard.exe 3436 gameguard.exe 3436 gameguard.exe 3788 gameguard.exe 3788 gameguard.exe -
Drops file in Program Files directory 8 IoCs
Processes:
acsvc.exemsiexec.exegameguard.exedescription ioc process File opened for modification C:\Program Files (x86)\GameGuard\gameguard.exe acsvc.exe File created C:\Program Files (x86)\GameGuard\acsvc.exe msiexec.exe File created C:\Program Files (x86)\GameGuard\gameguard.exe msiexec.exe File created C:\Program Files (x86)\GameGuard\cache\fuhwvfe.cache gameguard.exe File created C:\Program Files (x86)\GameGuard\acsvc.exe gameguard.exe File opened for modification C:\Program Files (x86)\GameGuard\acsvc.exe gameguard.exe File created C:\Program Files (x86)\GameGuard\cache\itbxabe.cache gameguard.exe File created C:\Program Files (x86)\GameGuard\gameguard.exe acsvc.exe -
Drops file in Windows directory 10 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\e58e8a6.msi msiexec.exe File opened for modification C:\Windows\Installer\e58e8a6.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{DB58A440-02BB-433B-AE99-D0B8AF31A839} msiexec.exe File created C:\Windows\Installer\{DB58A440-02BB-433B-AE99-D0B8AF31A839}\icon.ico msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIF632.tmp msiexec.exe File opened for modification C:\Windows\Installer\{DB58A440-02BB-433B-AE99-D0B8AF31A839}\icon.ico msiexec.exe File created C:\Windows\Installer\e58e8a8.msi msiexec.exe -
Executes dropped EXE 6 IoCs
Processes:
acsvc.exegameguard.exeacsvc.exeacsvc.exegameguard.exegameguard.exepid process 4048 acsvc.exe 4968 gameguard.exe 2500 acsvc.exe 1872 acsvc.exe 3436 gameguard.exe 3788 gameguard.exe -
Loads dropped DLL 1 IoCs
Processes:
MsiExec.exepid process 3040 MsiExec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
gameguard.exeacsvc.exeacsvc.exegameguard.exegameguard.exeMsiExec.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gameguard.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language acsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language acsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gameguard.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gameguard.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f7b83aff83bcb26e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f7b83aff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f7b83aff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df7b83aff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f7b83aff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
msiexec.exedescription ioc process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe -
Modifies registry class 46 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\ggac\DefaultIcon msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ggac\shell\open\command\ = "\"C:\\Program Files (x86)\\GameGuard\\\\gameguard.exe\"" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\044A85BDBB20B334EA990D8BFA138A93 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\14D8C6FEA992C334C8E1F1E30B83F8E1\044A85BDBB20B334EA990D8BFA138A93 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\DefaultIcon\ = "C:\\Program Files (x86)\\GameGuard\\\\gameguard.exe,1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\shell\open msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\gameguard\shell\open\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\shell\open\command\ = "\"C:\\Program Files (x86)\\GameGuard\\\\gameguard.exe\"" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ggac\URL Protocol msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ggac\shell msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ggac\shell\open msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\URL Protocol msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\gameguard\DefaultIcon msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\044A85BDBB20B334EA990D8BFA138A93\DesktopShortcutFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\PackageCode = "FCF74D9E87639FE42A3F49F0B413967A" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\ = "URL:GameGuard Protocol" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ggac\shell\open\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\ProductName = "GameGuard" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\gameguard msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\shell\open\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\044A85BDBB20B334EA990D8BFA138A93\ProductFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\ProductIcon = "C:\\Windows\\Installer\\{DB58A440-02BB-433B-AE99-D0B8AF31A839}\\icon.ico" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\14D8C6FEA992C334C8E1F1E30B83F8E1 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\gameguard msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\ggac\shell\open\command msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ggac msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\PackageName = "gameguard_setup.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\Media\1 = ";" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\shell msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ggac\ = "URL:GameGuard Protocol" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\Version = "16777216" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\ggac msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ggac\DefaultIcon\ = "C:\\Program Files (x86)\\GameGuard\\\\gameguard.exe,1" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msiexec.exegameguard.exegameguard.exegameguard.exepid process 4644 msiexec.exe 4644 msiexec.exe 4968 gameguard.exe 4968 gameguard.exe 4968 gameguard.exe 4968 gameguard.exe 3436 gameguard.exe 3436 gameguard.exe 3788 gameguard.exe 3788 gameguard.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 4012 msiexec.exe Token: SeIncreaseQuotaPrivilege 4012 msiexec.exe Token: SeSecurityPrivilege 4644 msiexec.exe Token: SeCreateTokenPrivilege 4012 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4012 msiexec.exe Token: SeLockMemoryPrivilege 4012 msiexec.exe Token: SeIncreaseQuotaPrivilege 4012 msiexec.exe Token: SeMachineAccountPrivilege 4012 msiexec.exe Token: SeTcbPrivilege 4012 msiexec.exe Token: SeSecurityPrivilege 4012 msiexec.exe Token: SeTakeOwnershipPrivilege 4012 msiexec.exe Token: SeLoadDriverPrivilege 4012 msiexec.exe Token: SeSystemProfilePrivilege 4012 msiexec.exe Token: SeSystemtimePrivilege 4012 msiexec.exe Token: SeProfSingleProcessPrivilege 4012 msiexec.exe Token: SeIncBasePriorityPrivilege 4012 msiexec.exe Token: SeCreatePagefilePrivilege 4012 msiexec.exe Token: SeCreatePermanentPrivilege 4012 msiexec.exe Token: SeBackupPrivilege 4012 msiexec.exe Token: SeRestorePrivilege 4012 msiexec.exe Token: SeShutdownPrivilege 4012 msiexec.exe Token: SeDebugPrivilege 4012 msiexec.exe Token: SeAuditPrivilege 4012 msiexec.exe Token: SeSystemEnvironmentPrivilege 4012 msiexec.exe Token: SeChangeNotifyPrivilege 4012 msiexec.exe Token: SeRemoteShutdownPrivilege 4012 msiexec.exe Token: SeUndockPrivilege 4012 msiexec.exe Token: SeSyncAgentPrivilege 4012 msiexec.exe Token: SeEnableDelegationPrivilege 4012 msiexec.exe Token: SeManageVolumePrivilege 4012 msiexec.exe Token: SeImpersonatePrivilege 4012 msiexec.exe Token: SeCreateGlobalPrivilege 4012 msiexec.exe Token: SeBackupPrivilege 640 vssvc.exe Token: SeRestorePrivilege 640 vssvc.exe Token: SeAuditPrivilege 640 vssvc.exe Token: SeBackupPrivilege 4644 msiexec.exe Token: SeRestorePrivilege 4644 msiexec.exe Token: SeRestorePrivilege 4644 msiexec.exe Token: SeTakeOwnershipPrivilege 4644 msiexec.exe Token: SeRestorePrivilege 4644 msiexec.exe Token: SeTakeOwnershipPrivilege 4644 msiexec.exe Token: SeRestorePrivilege 4644 msiexec.exe Token: SeTakeOwnershipPrivilege 4644 msiexec.exe Token: SeRestorePrivilege 4644 msiexec.exe Token: SeTakeOwnershipPrivilege 4644 msiexec.exe Token: SeRestorePrivilege 4644 msiexec.exe Token: SeTakeOwnershipPrivilege 4644 msiexec.exe Token: SeRestorePrivilege 4644 msiexec.exe Token: SeTakeOwnershipPrivilege 4644 msiexec.exe Token: SeRestorePrivilege 4644 msiexec.exe Token: SeTakeOwnershipPrivilege 4644 msiexec.exe Token: SeRestorePrivilege 4644 msiexec.exe Token: SeTakeOwnershipPrivilege 4644 msiexec.exe Token: SeRestorePrivilege 4644 msiexec.exe Token: SeTakeOwnershipPrivilege 4644 msiexec.exe Token: SeRestorePrivilege 4644 msiexec.exe Token: SeTakeOwnershipPrivilege 4644 msiexec.exe Token: SeRestorePrivilege 4644 msiexec.exe Token: SeTakeOwnershipPrivilege 4644 msiexec.exe Token: SeRestorePrivilege 4644 msiexec.exe Token: SeTakeOwnershipPrivilege 4644 msiexec.exe Token: SeRestorePrivilege 4644 msiexec.exe Token: SeTakeOwnershipPrivilege 4644 msiexec.exe Token: SeRestorePrivilege 4644 msiexec.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
msiexec.exegameguard.exepid process 4012 msiexec.exe 4012 msiexec.exe 4968 gameguard.exe 4968 gameguard.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
gameguard.exepid process 4968 gameguard.exe 4968 gameguard.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
gameguard.exepid process 3788 gameguard.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
msiexec.exeMsiExec.exeacsvc.exeacsvc.exedescription pid process target process PID 4644 wrote to memory of 2220 4644 msiexec.exe srtasks.exe PID 4644 wrote to memory of 2220 4644 msiexec.exe srtasks.exe PID 4644 wrote to memory of 3040 4644 msiexec.exe MsiExec.exe PID 4644 wrote to memory of 3040 4644 msiexec.exe MsiExec.exe PID 4644 wrote to memory of 3040 4644 msiexec.exe MsiExec.exe PID 3040 wrote to memory of 4968 3040 MsiExec.exe gameguard.exe PID 3040 wrote to memory of 4968 3040 MsiExec.exe gameguard.exe PID 3040 wrote to memory of 4968 3040 MsiExec.exe gameguard.exe PID 2500 wrote to memory of 1872 2500 acsvc.exe acsvc.exe PID 2500 wrote to memory of 1872 2500 acsvc.exe acsvc.exe PID 2500 wrote to memory of 1872 2500 acsvc.exe acsvc.exe PID 1872 wrote to memory of 3436 1872 acsvc.exe gameguard.exe PID 1872 wrote to memory of 3436 1872 acsvc.exe gameguard.exe PID 1872 wrote to memory of 3436 1872 acsvc.exe gameguard.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\gameguard_setup.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4012
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:2220
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F62B38AD1FC3600F16BFDA377AB50BCB C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Program Files (x86)\GameGuard\gameguard.exe"C:\Program Files (x86)\GameGuard\gameguard.exe"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4968
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=uk --service-sandbox-type=asset_store_service --field-trial-handle=4308,i,953679255148167322,11941616348703188819,262144 --variations-seed-version --mojo-platform-channel-handle=4072 /prefetch:81⤵PID:1572
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:640
-
C:\Program Files (x86)\GameGuard\acsvc.exe"C:\Program Files (x86)\GameGuard\acsvc.exe"1⤵
- Executes dropped EXE
PID:4048
-
C:\Program Files (x86)\GameGuard\acsvc.exe"C:\Program Files (x86)\GameGuard\acsvc.exe"1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Program Files (x86)\GameGuard\acsvc.exe"C:\Program Files (x86)\GameGuard\acsvc.exe" --run="C:\Program Files (x86)\GameGuard\gameguard.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Program Files (x86)\GameGuard\gameguard.exe"C:\Program Files (x86)\GameGuard\gameguard.exe"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3436
-
C:\Program Files (x86)\GameGuard\gameguard.exe"C:\Program Files (x86)\GameGuard\gameguard.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3788
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulte024045dh7294h4298hb36bh2dba71b896a51⤵PID:5288
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD57806e284be9d78b75bedafd4db8634ce
SHA1948404b677f0f9eee8509828370fee9f05d3d5a7
SHA25658e7f8af6474a5665981bd9dd854cd21c1b518d19426a49e87401760334c72e5
SHA5123a2e9b94954740037464f3ab3da312f43a29b72a7ff1f04c6e160e8f38ee85db2970773de9a4050cfb2baca8e83caf88a0637e7136c6a96365ece2fddb006c83
-
Filesize
316KB
MD57ec55f85dd4740e6f146d3ee54e01201
SHA144fcf3bb83a006ab6ca90d728bec43c031e0cada
SHA2567997c3e9c03c0e91b8b07cb482c97066afdd483d2dbab1f292f749f4fe97e229
SHA5127b6a494b5506e249e67e63c32fe42895227ec53a49f37e9b3884f628fd7bcc29f1f8bf96d616b8b741adc48540fc8eda7e64701a459acb707569bd1e36ee143b
-
Filesize
330KB
MD5b966184ae28d7bc96756bc3ed001c701
SHA18c620632624e9bc9b3e7d7a672072bdb6952df87
SHA256f2b6185392b98f27da4a7a8c74b585ae00d6e69bd7f97727dca0953aa3ab0324
SHA5128b9ad0bec94ed9a44a0c8aa8b8ca1b80fc6aecc46a2d74a2eb3830394ece82a77bed121c49ccbc6fb4fb7c05edbc90c17d591c2ee0f88bd3018893bc4cd0e003
-
Filesize
15.3MB
MD51ac7965867072e615fea1ee20dc2300e
SHA1d175990d7fe808931ee915470b130a2c37283ee8
SHA2560cb8174d1aeb9bb9efa6cca18f09df5941e5f48d23240d207e15a25f20ac70fc
SHA5124bdf16ff4c50d1e04dd4b9fa9cb3949c8a061bc7a2a5d86bc5cff07ad55ccafd5314a36189eb12e9164fc73b46830db5f54f553bb3d5112c0aee5dd22bb0dcf1
-
Filesize
7.2MB
MD581ed38976254bb646c0ecee753324027
SHA1c3fe70f9daff9e66b315b2adc9481a7d39d7e7c6
SHA256cf169e7a746c574f3e2ec653a6739ca71fe0e34aa76f604cd36706fe45536be7
SHA512476a6f9f65857d015661dc8504c537efff00fbd69014ab2e36aeed393b69083962195b3aa6e4485aa46f7471aa59aec21a6e56a687fc6474cc7a62b9c47ca018
-
Filesize
4KB
MD594bf0bf032ce32469dd74f4f1f5320e6
SHA186bff704a2f82816f346a6a374250f35743de3b0
SHA25654f08bfd73dd3477610059c4a1d92723e698def0efa7ad4661584a51d9aab79b
SHA512ac62c42bfe02a35739dfed5df012bb3ef1f7bdbde1f4d9dce9448812bb6d25891dbacc2591e859f644c95151bdb7179f4f8e355b81a2a38ca7afce4980a79901
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_D21903E2722B551F252C717985D24037
Filesize1KB
MD5004eba2a24fda787318ce19fec383d25
SHA1f9e5b03ce43664c60c7937c8998d4c12165af3ca
SHA256ed5bd4c2310d2d1ce382a7b847ae6468a93b019a41004820e6ce2cf75f0f8a2e
SHA512fb14058d341c5d5a426a73b43f9ccf1781197972969fbf3d82b4928c14d9181a090f11d073cdd8d0eb78ab1766fa815f62fc5c5cb30bab0dcf95ab1fc7a8f4f0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DF8D319B9741B9E1EBE906AACEA5CBBA_750FF3DD16195A328CB56C56AF693E3C
Filesize5B
MD55bfa51f3a417b98e7443eca90fc94703
SHA18c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA5124cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\60B3F7207DEB992031C120EB71F562CD
Filesize222B
MD53f0a4a69ea0fba014d56ff67a7d533e5
SHA1e4869fb0f9754087d5c836e1d70e833d4aeb340c
SHA2566d4a57a041503f66fb7a948e58b6db171f90db5f53eff97829e68f4676674914
SHA512d1152af8a9bd61ededad02d4dab70f581c78ab60e2f5b1ed1aa90e2f9b01e926fe6a974614d3e0e2a31993f7490594cc8ed4879e8e5772a013586d2f821082e0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_D21903E2722B551F252C717985D24037
Filesize498B
MD57262afe8adb586699b1e1589f4f9c1cd
SHA1fbf756973a01c46a6d5df0391028ab02b1bce8fe
SHA256550807b31a2464c585038fd1fcbd08f09042fc4b140a651ea1c9efebf598efd1
SHA512e668220bc5f1397f8f291c5495b91dd996258ad7b535d20ec1202e57584959bb230188d0c1f355362283c2826aaf6ec32ac285c7b9c6cfa371afb478e1be2518
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DF8D319B9741B9E1EBE906AACEA5CBBA_750FF3DD16195A328CB56C56AF693E3C
Filesize448B
MD50219858575a0b64c27be3d24bb3f542d
SHA129092ffca29ac5533f63449e32b9dd3ac171e4bd
SHA256adc69b6f9ab726dbeffaf4b89f290013fdde3d1de135f0f4446fb71d477f599a
SHA5120e65941405dfe23ab17d00a5be922e504d0129f15774b46a900d64dd7675414de2e1f5968e7608f75808e95b2ed7a5a678a7ff1371a79cebd63b969b5ebcccc5
-
Filesize
202KB
MD5d773d9bd091e712df7560f576da53de8
SHA1165cfbdce1811883360112441f7237b287cf0691
SHA256e0db1804cf53ed4819ed70cb35c67680ce1a77573efded86e6dac81010ce55e7
SHA51215a956090f8756a6bfdbe191fda36739b1107eada62c6cd3058218beb417bdbd2ea82be9b055f7f6eb8017394b330daff2e9824dbc9c4f137bead8e2ac0574cd
-
Filesize
7.7MB
MD568bd8f9af44479db013a77c806f1c674
SHA10cbb2b63c78b42e13b1818964bb2cf43e46c5052
SHA256ac9ac5a95273064ba09af8be049124ba52db7a59075d69a94d12427917dbc376
SHA512991f703293b984beeeda44cc72cacc0cd69bd4cb1856b2b1c5cf2a2d06d7f58e8469af70c2ecece05d98643937c52f8a944b9892e2925738457d2ac238867852
-
Filesize
23.7MB
MD513ca294ca7c450fab4642bdcf395e9b7
SHA11b17e0dbc4ddef455a78adf3f75afa2828718eeb
SHA256fdf7dab95977e3ace76b5429f9717149779c82bf1a09c0e4224ddca8af13e8e6
SHA51217e2341a21f998b47e0f55b7889a0f599760fe3573589a893d4dc0db0297a7d833f27520b06832afdd0cc480236c1c71e9f637ff79a691713bf0eb52254fcb23
-
\??\Volume{ff3ab8f7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e946d275-d641-48f0-a44f-ebef489f9f18}_OnDiskSnapshotProp
Filesize6KB
MD57ed3ebf36c36f0c7a5d0398853e00d02
SHA14d17061c98d79d4732b90b225e12c7528bc7d7bb
SHA256286f907f556a77821d9d36ffbd87c4b4f84b30fbeb93e12bf32ad8442fcfa0c2
SHA51277f707a14dc9a59c66bf383ee653b7c4a77f3d9105a4b8a7cd9228519e8dcf54671d45bda7e68aac4ed1828ed34d6c7fd36d12d3a6e73a7bd5f28b2d7c4f440b