ac9ac5a95273064ba09af8be049124ba52db7a59075d69a94d12427917dbc376

Analysis

max time kernel
82s
max time network
91s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
21-09-2024 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gameguard_setup.msi
Size

7.7MB
MD5

68bd8f9af44479db013a77c806f1c674
SHA1

0cbb2b63c78b42e13b1818964bb2cf43e46c5052
SHA256

ac9ac5a95273064ba09af8be049124ba52db7a59075d69a94d12427917dbc376
SHA512

991f703293b984beeeda44cc72cacc0cd69bd4cb1856b2b1c5cf2a2d06d7f58e8469af70c2ecece05d98643937c52f8a944b9892e2925738457d2ac238867852
SSDEEP

196608:mELpCPNYnYCCJLuMo3nmkmKf+GNI1Xjn5CD9ilxw:fLpCVY7CtuMo2kmcNmsiLw

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

Processes:

msiexec.exemsiexec.exe

flow pid process

2 164 msiexec.exe
4 164 msiexec.exe
6 164 msiexec.exe
21 4744 msiexec.exe
22 4744 msiexec.exe

flow	pid	process
2	164	msiexec.exe
4	164	msiexec.exe
6	164	msiexec.exe
21	4744	msiexec.exe
22	4744	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

gameguard.exegameguard.exe

pid process

2268 gameguard.exe
2268 gameguard.exe
3864 gameguard.exe
3864 gameguard.exe

pid	process
2268	gameguard.exe
2268	gameguard.exe
3864	gameguard.exe
3864	gameguard.exe

Drops file in Program Files directory 8 IoCs

Processes:

acsvc.exemsiexec.exegameguard.exe

description	ioc	process
File created	C:\Program Files (x86)\GameGuard\gameguard.exe	acsvc.exe
File opened for modification	C:\Program Files (x86)\GameGuard\gameguard.exe	acsvc.exe
File created	C:\Program Files (x86)\GameGuard\acsvc.exe	msiexec.exe
File created	C:\Program Files (x86)\GameGuard\gameguard.exe	msiexec.exe
File created	C:\Program Files (x86)\GameGuard\cache\bvvsygtk.cache	gameguard.exe
File created	C:\Program Files (x86)\GameGuard\acsvc.exe	gameguard.exe
File opened for modification	C:\Program Files (x86)\GameGuard\acsvc.exe	gameguard.exe
File created	C:\Program Files (x86)\GameGuard\cache\gvfcrd.cache	gameguard.exe

Drops file in Windows directory 10 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID13A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{DB58A440-02BB-433B-AE99-D0B8AF31A839}\icon.ico	msiexec.exe
File created	C:\Windows\Installer\e57cd62.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cd62.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{DB58A440-02BB-433B-AE99-D0B8AF31A839}	msiexec.exe
File created	C:\Windows\Installer\{DB58A440-02BB-433B-AE99-D0B8AF31A839}\icon.ico	msiexec.exe
File created	C:\Windows\Installer\e57cd64.msi	msiexec.exe

Executes dropped EXE 5 IoCs

Processes:

acsvc.exegameguard.exeacsvc.exeacsvc.exegameguard.exe

pid process

4392 acsvc.exe
2268 gameguard.exe
3276 acsvc.exe
1152 acsvc.exe
3864 gameguard.exe
Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

2636 MsiExec.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Msiexec
T1218.007

Processes:

msiexec.exe

pid process

164 msiexec.exe

pid	process
4392	acsvc.exe
2268	gameguard.exe
3276	acsvc.exe
1152	acsvc.exe
3864	gameguard.exe

pid	process
2636	MsiExec.exe

pid	process
164	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MsiExec.exegameguard.exeacsvc.exeacsvc.exegameguard.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gameguard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gameguard.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

svchost.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b	msiexec.exe

Modifies registry class 46 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\gameguard\DefaultIcon	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\gameguard\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ggac\ = "URL:GameGuard Protocol"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ggac\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ggac\shell\open	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ggac	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\14D8C6FEA992C334C8E1F1E30B83F8E1\044A85BDBB20B334EA990D8BFA138A93	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\PackageName = "gameguard_setup.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\URL Protocol	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\shell\open\command\ = "\"C:\\Program Files (x86)\\GameGuard\\\\gameguard.exe\""	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ggac	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ggac\URL Protocol	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ggac\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ggac\DefaultIcon\ = "C:\\Program Files (x86)\\GameGuard\\\\gameguard.exe,1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\ProductIcon = "C:\\Windows\\Installer\\{DB58A440-02BB-433B-AE99-D0B8AF31A839}\\icon.ico"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\14D8C6FEA992C334C8E1F1E30B83F8E1	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\ = "URL:GameGuard Protocol"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ggac\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\ProductName = "GameGuard"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gameguard	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\044A85BDBB20B334EA990D8BFA138A93	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\DefaultIcon\ = "C:\\Program Files (x86)\\GameGuard\\\\gameguard.exe,1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\044A85BDBB20B334EA990D8BFA138A93\ProductFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\PackageCode = "FCF74D9E87639FE42A3F49F0B413967A"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ggac\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\gameguard	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ggac\shell\open\command\ = "\"C:\\Program Files (x86)\\GameGuard\\\\gameguard.exe\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\044A85BDBB20B334EA990D8BFA138A93\DesktopShortcutFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msiexec.exegameguard.exegameguard.exe

pid process

4744 msiexec.exe
4744 msiexec.exe
2268 gameguard.exe
2268 gameguard.exe
2268 gameguard.exe
2268 gameguard.exe
3864 gameguard.exe
3864 gameguard.exe

pid	process
4744	msiexec.exe
4744	msiexec.exe
2268	gameguard.exe
2268	gameguard.exe
2268	gameguard.exe
2268	gameguard.exe
3864	gameguard.exe
3864	gameguard.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	164	msiexec.exe
Token: SeIncreaseQuotaPrivilege	164	msiexec.exe
Token: SeSecurityPrivilege	4744	msiexec.exe
Token: SeCreateTokenPrivilege	164	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	164	msiexec.exe
Token: SeLockMemoryPrivilege	164	msiexec.exe
Token: SeIncreaseQuotaPrivilege	164	msiexec.exe
Token: SeMachineAccountPrivilege	164	msiexec.exe
Token: SeTcbPrivilege	164	msiexec.exe
Token: SeSecurityPrivilege	164	msiexec.exe
Token: SeTakeOwnershipPrivilege	164	msiexec.exe
Token: SeLoadDriverPrivilege	164	msiexec.exe
Token: SeSystemProfilePrivilege	164	msiexec.exe
Token: SeSystemtimePrivilege	164	msiexec.exe
Token: SeProfSingleProcessPrivilege	164	msiexec.exe
Token: SeIncBasePriorityPrivilege	164	msiexec.exe
Token: SeCreatePagefilePrivilege	164	msiexec.exe
Token: SeCreatePermanentPrivilege	164	msiexec.exe
Token: SeBackupPrivilege	164	msiexec.exe
Token: SeRestorePrivilege	164	msiexec.exe
Token: SeShutdownPrivilege	164	msiexec.exe
Token: SeDebugPrivilege	164	msiexec.exe
Token: SeAuditPrivilege	164	msiexec.exe
Token: SeSystemEnvironmentPrivilege	164	msiexec.exe
Token: SeChangeNotifyPrivilege	164	msiexec.exe
Token: SeRemoteShutdownPrivilege	164	msiexec.exe
Token: SeUndockPrivilege	164	msiexec.exe
Token: SeSyncAgentPrivilege	164	msiexec.exe
Token: SeEnableDelegationPrivilege	164	msiexec.exe
Token: SeManageVolumePrivilege	164	msiexec.exe
Token: SeImpersonatePrivilege	164	msiexec.exe
Token: SeCreateGlobalPrivilege	164	msiexec.exe
Token: SeBackupPrivilege	3000	vssvc.exe
Token: SeRestorePrivilege	3000	vssvc.exe
Token: SeAuditPrivilege	3000	vssvc.exe
Token: SeBackupPrivilege	4744	msiexec.exe
Token: SeRestorePrivilege	4744	msiexec.exe
Token: SeRestorePrivilege	4744	msiexec.exe
Token: SeTakeOwnershipPrivilege	4744	msiexec.exe
Token: SeRestorePrivilege	4744	msiexec.exe
Token: SeTakeOwnershipPrivilege	4744	msiexec.exe
Token: SeRestorePrivilege	4744	msiexec.exe
Token: SeTakeOwnershipPrivilege	4744	msiexec.exe
Token: SeRestorePrivilege	4744	msiexec.exe
Token: SeTakeOwnershipPrivilege	4744	msiexec.exe
Token: SeRestorePrivilege	4744	msiexec.exe
Token: SeTakeOwnershipPrivilege	4744	msiexec.exe
Token: SeRestorePrivilege	4744	msiexec.exe
Token: SeTakeOwnershipPrivilege	4744	msiexec.exe
Token: SeRestorePrivilege	4744	msiexec.exe
Token: SeTakeOwnershipPrivilege	4744	msiexec.exe
Token: SeRestorePrivilege	4744	msiexec.exe
Token: SeTakeOwnershipPrivilege	4744	msiexec.exe
Token: SeRestorePrivilege	4744	msiexec.exe
Token: SeTakeOwnershipPrivilege	4744	msiexec.exe
Token: SeRestorePrivilege	4744	msiexec.exe
Token: SeTakeOwnershipPrivilege	4744	msiexec.exe
Token: SeRestorePrivilege	4744	msiexec.exe
Token: SeTakeOwnershipPrivilege	4744	msiexec.exe
Token: SeRestorePrivilege	4744	msiexec.exe
Token: SeTakeOwnershipPrivilege	4744	msiexec.exe
Token: SeRestorePrivilege	4744	msiexec.exe
Token: SeTakeOwnershipPrivilege	4744	msiexec.exe
Token: SeRestorePrivilege	4744	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

msiexec.exegameguard.exe

pid process

164 msiexec.exe
164 msiexec.exe
2268 gameguard.exe
2268 gameguard.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

gameguard.exe

pid process

2268 gameguard.exe
2268 gameguard.exe

pid	process
164	msiexec.exe
164	msiexec.exe
2268	gameguard.exe
2268	gameguard.exe

pid	process
2268	gameguard.exe
2268	gameguard.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

msiexec.exeMsiExec.exeacsvc.exeacsvc.exe

description	pid	process	target process
PID 4744 wrote to memory of 2116	4744	msiexec.exe	srtasks.exe
PID 4744 wrote to memory of 2116	4744	msiexec.exe	srtasks.exe
PID 4744 wrote to memory of 2636	4744	msiexec.exe	MsiExec.exe
PID 4744 wrote to memory of 2636	4744	msiexec.exe	MsiExec.exe
PID 4744 wrote to memory of 2636	4744	msiexec.exe	MsiExec.exe
PID 2636 wrote to memory of 2268	2636	MsiExec.exe	gameguard.exe
PID 2636 wrote to memory of 2268	2636	MsiExec.exe	gameguard.exe
PID 2636 wrote to memory of 2268	2636	MsiExec.exe	gameguard.exe
PID 3276 wrote to memory of 1152	3276	acsvc.exe	acsvc.exe
PID 3276 wrote to memory of 1152	3276	acsvc.exe	acsvc.exe
PID 3276 wrote to memory of 1152	3276	acsvc.exe	acsvc.exe
PID 1152 wrote to memory of 3864	1152	acsvc.exe	gameguard.exe
PID 1152 wrote to memory of 3864	1152	acsvc.exe	gameguard.exe
PID 1152 wrote to memory of 3864	1152	acsvc.exe	gameguard.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\gameguard_setup.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:164

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:2116

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 9DAE4C13CB18128F5A5AF1487B51EF09 C
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636

C:\Program Files (x86)\GameGuard\gameguard.exe
"C:\Program Files (x86)\GameGuard\gameguard.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2268

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1332

C:\Program Files (x86)\GameGuard\acsvc.exe
"C:\Program Files (x86)\GameGuard\acsvc.exe"
1⤵
- Executes dropped EXE
PID:4392

C:\Program Files (x86)\GameGuard\acsvc.exe
"C:\Program Files (x86)\GameGuard\acsvc.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3276

C:\Program Files (x86)\GameGuard\acsvc.exe
"C:\Program Files (x86)\GameGuard\acsvc.exe" --run="C:\Program Files (x86)\GameGuard\gameguard.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1152

C:\Program Files (x86)\GameGuard\gameguard.exe
"C:\Program Files (x86)\GameGuard\gameguard.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57cd63.rbs

Filesize
10KB

MD5
f42dde92071454715bb895dfb91e365e

SHA1
bc4e5bd7d330191f6cc6a35a0d725a1e5d7514e9

SHA256
f1d55b041c50bbcdf3bee0bfba30d5682f39d14d9cab8fdbd555cfea0a0b2086

SHA512
0da10797b1a045d42fe058c94f288111cfbdf38522d3f9d60d31fbe21d9762b6dcbcc2f52210da3d43fea0131b4c2ad417d31f8ec41b71c0843eb22e0c2117e4

Download Submit
C:\Program Files (x86)\GameGuard\acsvc.exe

Filesize
316KB

MD5
7ec55f85dd4740e6f146d3ee54e01201

SHA1
44fcf3bb83a006ab6ca90d728bec43c031e0cada

SHA256
7997c3e9c03c0e91b8b07cb482c97066afdd483d2dbab1f292f749f4fe97e229

SHA512
7b6a494b5506e249e67e63c32fe42895227ec53a49f37e9b3884f628fd7bcc29f1f8bf96d616b8b741adc48540fc8eda7e64701a459acb707569bd1e36ee143b

Download Submit
C:\Program Files (x86)\GameGuard\cache\bvvsygtk.cache

Filesize
330KB

MD5
b966184ae28d7bc96756bc3ed001c701

SHA1
8c620632624e9bc9b3e7d7a672072bdb6952df87

SHA256
f2b6185392b98f27da4a7a8c74b585ae00d6e69bd7f97727dca0953aa3ab0324

SHA512
8b9ad0bec94ed9a44a0c8aa8b8ca1b80fc6aecc46a2d74a2eb3830394ece82a77bed121c49ccbc6fb4fb7c05edbc90c17d591c2ee0f88bd3018893bc4cd0e003

Download Submit
C:\Program Files (x86)\GameGuard\cache\gvfcrd.cache

Filesize
15.3MB

MD5
1ac7965867072e615fea1ee20dc2300e

SHA1
d175990d7fe808931ee915470b130a2c37283ee8

SHA256
0cb8174d1aeb9bb9efa6cca18f09df5941e5f48d23240d207e15a25f20ac70fc

SHA512
4bdf16ff4c50d1e04dd4b9fa9cb3949c8a061bc7a2a5d86bc5cff07ad55ccafd5314a36189eb12e9164fc73b46830db5f54f553bb3d5112c0aee5dd22bb0dcf1

Download Submit
C:\Program Files (x86)\GameGuard\gameguard.exe

Filesize
7.2MB

MD5
81ed38976254bb646c0ecee753324027

SHA1
c3fe70f9daff9e66b315b2adc9481a7d39d7e7c6

SHA256
cf169e7a746c574f3e2ec653a6739ca71fe0e34aa76f604cd36706fe45536be7

SHA512
476a6f9f65857d015661dc8504c537efff00fbd69014ab2e36aeed393b69083962195b3aa6e4485aa46f7471aa59aec21a6e56a687fc6474cc7a62b9c47ca018

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\60B3F7207DEB992031C120EB71F562CD

Filesize
4KB

MD5
94bf0bf032ce32469dd74f4f1f5320e6

SHA1
86bff704a2f82816f346a6a374250f35743de3b0

SHA256
54f08bfd73dd3477610059c4a1d92723e698def0efa7ad4661584a51d9aab79b

SHA512
ac62c42bfe02a35739dfed5df012bb3ef1f7bdbde1f4d9dce9448812bb6d25891dbacc2591e859f644c95151bdb7179f4f8e355b81a2a38ca7afce4980a79901

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_D21903E2722B551F252C717985D24037

Filesize
1KB

MD5
004eba2a24fda787318ce19fec383d25

SHA1
f9e5b03ce43664c60c7937c8998d4c12165af3ca

SHA256
ed5bd4c2310d2d1ce382a7b847ae6468a93b019a41004820e6ce2cf75f0f8a2e

SHA512
fb14058d341c5d5a426a73b43f9ccf1781197972969fbf3d82b4928c14d9181a090f11d073cdd8d0eb78ab1766fa815f62fc5c5cb30bab0dcf95ab1fc7a8f4f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DF8D319B9741B9E1EBE906AACEA5CBBA_750FF3DD16195A328CB56C56AF693E3C

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\60B3F7207DEB992031C120EB71F562CD

Filesize
222B

MD5
9a4cd3cf1625f8f41824f794fbee89da

SHA1
201cbffb9c0ee515ff30e97a55840ad7ed28b91b

SHA256
3b7ff44922b02c5a9d59b6539984e2e9b61065307f7f486bd1d1ede7ea83b57e

SHA512
c462b947e200031395df9d3c5be5be29950996f92519b0d0aaa8b7cff61d096d64b5797370bf586a3b76f80aa7a03ac35b5157bb5dc752eabdf45abf048dc810

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_D21903E2722B551F252C717985D24037

Filesize
498B

MD5
c4374e7da8d10760bc463c6f06b6df4d

SHA1
189e551197e6ce6459fb9418cc0504f465c1b5cc

SHA256
ebfe14bb1aaae43c24de86f67d5f4f9e653a4883f7303480d29c907e776a6e81

SHA512
0c7e49dad44521ef83899663cd51f582e00db504bc2dd59c1dc533a1e9d596ee3ac386cb69c2b37ede7defb1f35b7cf3714772f699bb10e208748203ea151f3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DF8D319B9741B9E1EBE906AACEA5CBBA_750FF3DD16195A328CB56C56AF693E3C

Filesize
448B

MD5
ad6a328286148938d273e38a14e4a813

SHA1
42522c4a0f214f00bf4b27ad19cbaa60b383bff8

SHA256
7c04841a90471e8d110a2fe6dc53937f8f3a734383bae52cdf1e9b71b21e5c33

SHA512
d9a2546e68806c3b13b8a900b89c7fc10151ac47e4e7a71a96b20f082063606bd963de22e619570d9ceda75a80747578c7d60d66ffa983588f01eb54beed86c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF954.tmp

Filesize
202KB

MD5
d773d9bd091e712df7560f576da53de8

SHA1
165cfbdce1811883360112441f7237b287cf0691

SHA256
e0db1804cf53ed4819ed70cb35c67680ce1a77573efded86e6dac81010ce55e7

SHA512
15a956090f8756a6bfdbe191fda36739b1107eada62c6cd3058218beb417bdbd2ea82be9b055f7f6eb8017394b330daff2e9824dbc9c4f137bead8e2ac0574cd

Download Submit
C:\Windows\Installer\e57cd62.msi

Filesize
7.7MB

MD5
68bd8f9af44479db013a77c806f1c674

SHA1
0cbb2b63c78b42e13b1818964bb2cf43e46c5052

SHA256
ac9ac5a95273064ba09af8be049124ba52db7a59075d69a94d12427917dbc376

SHA512
991f703293b984beeeda44cc72cacc0cd69bd4cb1856b2b1c5cf2a2d06d7f58e8469af70c2ecece05d98643937c52f8a944b9892e2925738457d2ac238867852

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
26.0MB

MD5
466de4d188abf2a986c6b1b2e8fc3e48

SHA1
0c570bb5ed017966c4862eb8b4e8d835ae8c94a6

SHA256
fed763bee97e8b6f95f9643413c51997b88d4581bf20c0a8b31ef79f5e9b70e1

SHA512
0adf2568bcbf941699d2c3acdd01a2b1182024e44a5261f787bbedba5a4c80a327aec10390cb96336b7af23d238570b205b9dd2165bff011e475618e0af42ae3

Download Submit
\??\Volume{38ff9706-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0c2d1e34-460b-452e-8524-36f6a4c2b751}_OnDiskSnapshotProp

Filesize
5KB

MD5
940558b973a08c26f58e23a9b3fd610d

SHA1
8718cbf5b67fd020bfcf8a0b554cd28e914ce94a

SHA256
b4d6ac39e62fc3eda9050cf58285d7216f62a93451cf0ad15808daf85cf3e69b

SHA512
8f7790bf35de445e91a30400d30e87b68a4ebd3d684c91253696e057cdd77c91e7547b3bab5876dc347b2890dfbf4f74f496db9d2d02aafc8467cfcb36567fbf

Download Submit
memory/2268-92-0x0000000002D30000-0x0000000002D31000-memory.dmp

Filesize
4KB

Download
memory/2268-91-0x0000000002D10000-0x0000000002D11000-memory.dmp

Filesize
4KB

Download
memory/2268-93-0x0000000002D40000-0x0000000002D41000-memory.dmp

Filesize
4KB

Download
memory/2268-94-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/2268-95-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/2268-96-0x0000000002D70000-0x0000000002D71000-memory.dmp

Filesize
4KB

Download
memory/2268-97-0x0000000000030000-0x0000000000BEE000-memory.dmp

Filesize
11.7MB

Download
memory/2268-90-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/2268-89-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/3864-114-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/3864-115-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/3864-116-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/3864-117-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/3864-118-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/3864-119-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/3864-120-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/3864-121-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

Filesize
4KB

Download
memory/3864-123-0x0000000000F80000-0x000000000288C000-memory.dmp

Filesize
25.0MB

Download