Analysis
-
max time kernel
82s -
max time network
91s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
21-09-2024 14:34
Static task
static1
Behavioral task
behavioral1
Sample
gameguard_setup.msi
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
gameguard_setup.msi
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
gameguard_setup.msi
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
gameguard_setup.msi
Resource
win11-20240802-en
General
-
Target
gameguard_setup.msi
-
Size
7.7MB
-
MD5
68bd8f9af44479db013a77c806f1c674
-
SHA1
0cbb2b63c78b42e13b1818964bb2cf43e46c5052
-
SHA256
ac9ac5a95273064ba09af8be049124ba52db7a59075d69a94d12427917dbc376
-
SHA512
991f703293b984beeeda44cc72cacc0cd69bd4cb1856b2b1c5cf2a2d06d7f58e8469af70c2ecece05d98643937c52f8a944b9892e2925738457d2ac238867852
-
SSDEEP
196608:mELpCPNYnYCCJLuMo3nmkmKf+GNI1Xjn5CD9ilxw:fLpCVY7CtuMo2kmcNmsiLw
Malware Config
Signatures
-
Blocklisted process makes network request 5 IoCs
Processes:
msiexec.exemsiexec.exeflow pid process 2 164 msiexec.exe 4 164 msiexec.exe 6 164 msiexec.exe 21 4744 msiexec.exe 22 4744 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
gameguard.exegameguard.exepid process 2268 gameguard.exe 2268 gameguard.exe 3864 gameguard.exe 3864 gameguard.exe -
Drops file in Program Files directory 8 IoCs
Processes:
acsvc.exemsiexec.exegameguard.exedescription ioc process File created C:\Program Files (x86)\GameGuard\gameguard.exe acsvc.exe File opened for modification C:\Program Files (x86)\GameGuard\gameguard.exe acsvc.exe File created C:\Program Files (x86)\GameGuard\acsvc.exe msiexec.exe File created C:\Program Files (x86)\GameGuard\gameguard.exe msiexec.exe File created C:\Program Files (x86)\GameGuard\cache\bvvsygtk.cache gameguard.exe File created C:\Program Files (x86)\GameGuard\acsvc.exe gameguard.exe File opened for modification C:\Program Files (x86)\GameGuard\acsvc.exe gameguard.exe File created C:\Program Files (x86)\GameGuard\cache\gvfcrd.cache gameguard.exe -
Drops file in Windows directory 10 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSID13A.tmp msiexec.exe File opened for modification C:\Windows\Installer\{DB58A440-02BB-433B-AE99-D0B8AF31A839}\icon.ico msiexec.exe File created C:\Windows\Installer\e57cd62.msi msiexec.exe File opened for modification C:\Windows\Installer\e57cd62.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{DB58A440-02BB-433B-AE99-D0B8AF31A839} msiexec.exe File created C:\Windows\Installer\{DB58A440-02BB-433B-AE99-D0B8AF31A839}\icon.ico msiexec.exe File created C:\Windows\Installer\e57cd64.msi msiexec.exe -
Executes dropped EXE 5 IoCs
Processes:
acsvc.exegameguard.exeacsvc.exeacsvc.exegameguard.exepid process 4392 acsvc.exe 2268 gameguard.exe 3276 acsvc.exe 1152 acsvc.exe 3864 gameguard.exe -
Loads dropped DLL 1 IoCs
Processes:
MsiExec.exepid process 2636 MsiExec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
MsiExec.exegameguard.exeacsvc.exeacsvc.exegameguard.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gameguard.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language acsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language acsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gameguard.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
svchost.exemsiexec.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b msiexec.exe -
Modifies registry class 46 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\gameguard\DefaultIcon msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\gameguard\shell\open\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ggac\ = "URL:GameGuard Protocol" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ggac\shell msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ggac\shell\open msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ggac msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\14D8C6FEA992C334C8E1F1E30B83F8E1\044A85BDBB20B334EA990D8BFA138A93 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\PackageName = "gameguard_setup.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\URL Protocol msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\shell\open\command\ = "\"C:\\Program Files (x86)\\GameGuard\\\\gameguard.exe\"" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\ggac msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ggac\URL Protocol msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\ggac\DefaultIcon msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ggac\DefaultIcon\ = "C:\\Program Files (x86)\\GameGuard\\\\gameguard.exe,1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\ProductIcon = "C:\\Windows\\Installer\\{DB58A440-02BB-433B-AE99-D0B8AF31A839}\\icon.ico" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\14D8C6FEA992C334C8E1F1E30B83F8E1 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\ = "URL:GameGuard Protocol" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ggac\shell\open\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\ProductName = "GameGuard" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\Version = "16777216" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\Media\1 = ";" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\gameguard msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\shell\open msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\shell\open\command msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\044A85BDBB20B334EA990D8BFA138A93 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\DefaultIcon\ = "C:\\Program Files (x86)\\GameGuard\\\\gameguard.exe,1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\044A85BDBB20B334EA990D8BFA138A93\ProductFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\PackageCode = "FCF74D9E87639FE42A3F49F0B413967A" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\ggac\shell\open\command msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\gameguard msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\shell msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ggac\shell\open\command\ = "\"C:\\Program Files (x86)\\GameGuard\\\\gameguard.exe\"" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\044A85BDBB20B334EA990D8BFA138A93\DesktopShortcutFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
msiexec.exegameguard.exegameguard.exepid process 4744 msiexec.exe 4744 msiexec.exe 2268 gameguard.exe 2268 gameguard.exe 2268 gameguard.exe 2268 gameguard.exe 3864 gameguard.exe 3864 gameguard.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 164 msiexec.exe Token: SeIncreaseQuotaPrivilege 164 msiexec.exe Token: SeSecurityPrivilege 4744 msiexec.exe Token: SeCreateTokenPrivilege 164 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 164 msiexec.exe Token: SeLockMemoryPrivilege 164 msiexec.exe Token: SeIncreaseQuotaPrivilege 164 msiexec.exe Token: SeMachineAccountPrivilege 164 msiexec.exe Token: SeTcbPrivilege 164 msiexec.exe Token: SeSecurityPrivilege 164 msiexec.exe Token: SeTakeOwnershipPrivilege 164 msiexec.exe Token: SeLoadDriverPrivilege 164 msiexec.exe Token: SeSystemProfilePrivilege 164 msiexec.exe Token: SeSystemtimePrivilege 164 msiexec.exe Token: SeProfSingleProcessPrivilege 164 msiexec.exe Token: SeIncBasePriorityPrivilege 164 msiexec.exe Token: SeCreatePagefilePrivilege 164 msiexec.exe Token: SeCreatePermanentPrivilege 164 msiexec.exe Token: SeBackupPrivilege 164 msiexec.exe Token: SeRestorePrivilege 164 msiexec.exe Token: SeShutdownPrivilege 164 msiexec.exe Token: SeDebugPrivilege 164 msiexec.exe Token: SeAuditPrivilege 164 msiexec.exe Token: SeSystemEnvironmentPrivilege 164 msiexec.exe Token: SeChangeNotifyPrivilege 164 msiexec.exe Token: SeRemoteShutdownPrivilege 164 msiexec.exe Token: SeUndockPrivilege 164 msiexec.exe Token: SeSyncAgentPrivilege 164 msiexec.exe Token: SeEnableDelegationPrivilege 164 msiexec.exe Token: SeManageVolumePrivilege 164 msiexec.exe Token: SeImpersonatePrivilege 164 msiexec.exe Token: SeCreateGlobalPrivilege 164 msiexec.exe Token: SeBackupPrivilege 3000 vssvc.exe Token: SeRestorePrivilege 3000 vssvc.exe Token: SeAuditPrivilege 3000 vssvc.exe Token: SeBackupPrivilege 4744 msiexec.exe Token: SeRestorePrivilege 4744 msiexec.exe Token: SeRestorePrivilege 4744 msiexec.exe Token: SeTakeOwnershipPrivilege 4744 msiexec.exe Token: SeRestorePrivilege 4744 msiexec.exe Token: SeTakeOwnershipPrivilege 4744 msiexec.exe Token: SeRestorePrivilege 4744 msiexec.exe Token: SeTakeOwnershipPrivilege 4744 msiexec.exe Token: SeRestorePrivilege 4744 msiexec.exe Token: SeTakeOwnershipPrivilege 4744 msiexec.exe Token: SeRestorePrivilege 4744 msiexec.exe Token: SeTakeOwnershipPrivilege 4744 msiexec.exe Token: SeRestorePrivilege 4744 msiexec.exe Token: SeTakeOwnershipPrivilege 4744 msiexec.exe Token: SeRestorePrivilege 4744 msiexec.exe Token: SeTakeOwnershipPrivilege 4744 msiexec.exe Token: SeRestorePrivilege 4744 msiexec.exe Token: SeTakeOwnershipPrivilege 4744 msiexec.exe Token: SeRestorePrivilege 4744 msiexec.exe Token: SeTakeOwnershipPrivilege 4744 msiexec.exe Token: SeRestorePrivilege 4744 msiexec.exe Token: SeTakeOwnershipPrivilege 4744 msiexec.exe Token: SeRestorePrivilege 4744 msiexec.exe Token: SeTakeOwnershipPrivilege 4744 msiexec.exe Token: SeRestorePrivilege 4744 msiexec.exe Token: SeTakeOwnershipPrivilege 4744 msiexec.exe Token: SeRestorePrivilege 4744 msiexec.exe Token: SeTakeOwnershipPrivilege 4744 msiexec.exe Token: SeRestorePrivilege 4744 msiexec.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
msiexec.exegameguard.exepid process 164 msiexec.exe 164 msiexec.exe 2268 gameguard.exe 2268 gameguard.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
gameguard.exepid process 2268 gameguard.exe 2268 gameguard.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
msiexec.exeMsiExec.exeacsvc.exeacsvc.exedescription pid process target process PID 4744 wrote to memory of 2116 4744 msiexec.exe srtasks.exe PID 4744 wrote to memory of 2116 4744 msiexec.exe srtasks.exe PID 4744 wrote to memory of 2636 4744 msiexec.exe MsiExec.exe PID 4744 wrote to memory of 2636 4744 msiexec.exe MsiExec.exe PID 4744 wrote to memory of 2636 4744 msiexec.exe MsiExec.exe PID 2636 wrote to memory of 2268 2636 MsiExec.exe gameguard.exe PID 2636 wrote to memory of 2268 2636 MsiExec.exe gameguard.exe PID 2636 wrote to memory of 2268 2636 MsiExec.exe gameguard.exe PID 3276 wrote to memory of 1152 3276 acsvc.exe acsvc.exe PID 3276 wrote to memory of 1152 3276 acsvc.exe acsvc.exe PID 3276 wrote to memory of 1152 3276 acsvc.exe acsvc.exe PID 1152 wrote to memory of 3864 1152 acsvc.exe gameguard.exe PID 1152 wrote to memory of 3864 1152 acsvc.exe gameguard.exe PID 1152 wrote to memory of 3864 1152 acsvc.exe gameguard.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\gameguard_setup.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:164
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:2116
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9DAE4C13CB18128F5A5AF1487B51EF09 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Program Files (x86)\GameGuard\gameguard.exe"C:\Program Files (x86)\GameGuard\gameguard.exe"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2268
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1332
-
C:\Program Files (x86)\GameGuard\acsvc.exe"C:\Program Files (x86)\GameGuard\acsvc.exe"1⤵
- Executes dropped EXE
PID:4392
-
C:\Program Files (x86)\GameGuard\acsvc.exe"C:\Program Files (x86)\GameGuard\acsvc.exe"1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Program Files (x86)\GameGuard\acsvc.exe"C:\Program Files (x86)\GameGuard\acsvc.exe" --run="C:\Program Files (x86)\GameGuard\gameguard.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Program Files (x86)\GameGuard\gameguard.exe"C:\Program Files (x86)\GameGuard\gameguard.exe"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3864
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5f42dde92071454715bb895dfb91e365e
SHA1bc4e5bd7d330191f6cc6a35a0d725a1e5d7514e9
SHA256f1d55b041c50bbcdf3bee0bfba30d5682f39d14d9cab8fdbd555cfea0a0b2086
SHA5120da10797b1a045d42fe058c94f288111cfbdf38522d3f9d60d31fbe21d9762b6dcbcc2f52210da3d43fea0131b4c2ad417d31f8ec41b71c0843eb22e0c2117e4
-
Filesize
316KB
MD57ec55f85dd4740e6f146d3ee54e01201
SHA144fcf3bb83a006ab6ca90d728bec43c031e0cada
SHA2567997c3e9c03c0e91b8b07cb482c97066afdd483d2dbab1f292f749f4fe97e229
SHA5127b6a494b5506e249e67e63c32fe42895227ec53a49f37e9b3884f628fd7bcc29f1f8bf96d616b8b741adc48540fc8eda7e64701a459acb707569bd1e36ee143b
-
Filesize
330KB
MD5b966184ae28d7bc96756bc3ed001c701
SHA18c620632624e9bc9b3e7d7a672072bdb6952df87
SHA256f2b6185392b98f27da4a7a8c74b585ae00d6e69bd7f97727dca0953aa3ab0324
SHA5128b9ad0bec94ed9a44a0c8aa8b8ca1b80fc6aecc46a2d74a2eb3830394ece82a77bed121c49ccbc6fb4fb7c05edbc90c17d591c2ee0f88bd3018893bc4cd0e003
-
Filesize
15.3MB
MD51ac7965867072e615fea1ee20dc2300e
SHA1d175990d7fe808931ee915470b130a2c37283ee8
SHA2560cb8174d1aeb9bb9efa6cca18f09df5941e5f48d23240d207e15a25f20ac70fc
SHA5124bdf16ff4c50d1e04dd4b9fa9cb3949c8a061bc7a2a5d86bc5cff07ad55ccafd5314a36189eb12e9164fc73b46830db5f54f553bb3d5112c0aee5dd22bb0dcf1
-
Filesize
7.2MB
MD581ed38976254bb646c0ecee753324027
SHA1c3fe70f9daff9e66b315b2adc9481a7d39d7e7c6
SHA256cf169e7a746c574f3e2ec653a6739ca71fe0e34aa76f604cd36706fe45536be7
SHA512476a6f9f65857d015661dc8504c537efff00fbd69014ab2e36aeed393b69083962195b3aa6e4485aa46f7471aa59aec21a6e56a687fc6474cc7a62b9c47ca018
-
Filesize
4KB
MD594bf0bf032ce32469dd74f4f1f5320e6
SHA186bff704a2f82816f346a6a374250f35743de3b0
SHA25654f08bfd73dd3477610059c4a1d92723e698def0efa7ad4661584a51d9aab79b
SHA512ac62c42bfe02a35739dfed5df012bb3ef1f7bdbde1f4d9dce9448812bb6d25891dbacc2591e859f644c95151bdb7179f4f8e355b81a2a38ca7afce4980a79901
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_D21903E2722B551F252C717985D24037
Filesize1KB
MD5004eba2a24fda787318ce19fec383d25
SHA1f9e5b03ce43664c60c7937c8998d4c12165af3ca
SHA256ed5bd4c2310d2d1ce382a7b847ae6468a93b019a41004820e6ce2cf75f0f8a2e
SHA512fb14058d341c5d5a426a73b43f9ccf1781197972969fbf3d82b4928c14d9181a090f11d073cdd8d0eb78ab1766fa815f62fc5c5cb30bab0dcf95ab1fc7a8f4f0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DF8D319B9741B9E1EBE906AACEA5CBBA_750FF3DD16195A328CB56C56AF693E3C
Filesize5B
MD55bfa51f3a417b98e7443eca90fc94703
SHA18c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA5124cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\60B3F7207DEB992031C120EB71F562CD
Filesize222B
MD59a4cd3cf1625f8f41824f794fbee89da
SHA1201cbffb9c0ee515ff30e97a55840ad7ed28b91b
SHA2563b7ff44922b02c5a9d59b6539984e2e9b61065307f7f486bd1d1ede7ea83b57e
SHA512c462b947e200031395df9d3c5be5be29950996f92519b0d0aaa8b7cff61d096d64b5797370bf586a3b76f80aa7a03ac35b5157bb5dc752eabdf45abf048dc810
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_D21903E2722B551F252C717985D24037
Filesize498B
MD5c4374e7da8d10760bc463c6f06b6df4d
SHA1189e551197e6ce6459fb9418cc0504f465c1b5cc
SHA256ebfe14bb1aaae43c24de86f67d5f4f9e653a4883f7303480d29c907e776a6e81
SHA5120c7e49dad44521ef83899663cd51f582e00db504bc2dd59c1dc533a1e9d596ee3ac386cb69c2b37ede7defb1f35b7cf3714772f699bb10e208748203ea151f3f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DF8D319B9741B9E1EBE906AACEA5CBBA_750FF3DD16195A328CB56C56AF693E3C
Filesize448B
MD5ad6a328286148938d273e38a14e4a813
SHA142522c4a0f214f00bf4b27ad19cbaa60b383bff8
SHA2567c04841a90471e8d110a2fe6dc53937f8f3a734383bae52cdf1e9b71b21e5c33
SHA512d9a2546e68806c3b13b8a900b89c7fc10151ac47e4e7a71a96b20f082063606bd963de22e619570d9ceda75a80747578c7d60d66ffa983588f01eb54beed86c5
-
Filesize
202KB
MD5d773d9bd091e712df7560f576da53de8
SHA1165cfbdce1811883360112441f7237b287cf0691
SHA256e0db1804cf53ed4819ed70cb35c67680ce1a77573efded86e6dac81010ce55e7
SHA51215a956090f8756a6bfdbe191fda36739b1107eada62c6cd3058218beb417bdbd2ea82be9b055f7f6eb8017394b330daff2e9824dbc9c4f137bead8e2ac0574cd
-
Filesize
7.7MB
MD568bd8f9af44479db013a77c806f1c674
SHA10cbb2b63c78b42e13b1818964bb2cf43e46c5052
SHA256ac9ac5a95273064ba09af8be049124ba52db7a59075d69a94d12427917dbc376
SHA512991f703293b984beeeda44cc72cacc0cd69bd4cb1856b2b1c5cf2a2d06d7f58e8469af70c2ecece05d98643937c52f8a944b9892e2925738457d2ac238867852
-
Filesize
26.0MB
MD5466de4d188abf2a986c6b1b2e8fc3e48
SHA10c570bb5ed017966c4862eb8b4e8d835ae8c94a6
SHA256fed763bee97e8b6f95f9643413c51997b88d4581bf20c0a8b31ef79f5e9b70e1
SHA5120adf2568bcbf941699d2c3acdd01a2b1182024e44a5261f787bbedba5a4c80a327aec10390cb96336b7af23d238570b205b9dd2165bff011e475618e0af42ae3
-
\??\Volume{38ff9706-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0c2d1e34-460b-452e-8524-36f6a4c2b751}_OnDiskSnapshotProp
Filesize5KB
MD5940558b973a08c26f58e23a9b3fd610d
SHA18718cbf5b67fd020bfcf8a0b554cd28e914ce94a
SHA256b4d6ac39e62fc3eda9050cf58285d7216f62a93451cf0ad15808daf85cf3e69b
SHA5128f7790bf35de445e91a30400d30e87b68a4ebd3d684c91253696e057cdd77c91e7547b3bab5876dc347b2890dfbf4f74f496db9d2d02aafc8467cfcb36567fbf