Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21-09-2024 14:34
Static task
static1
Behavioral task
behavioral1
Sample
gameguard_setup.msi
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
gameguard_setup.msi
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
gameguard_setup.msi
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
gameguard_setup.msi
Resource
win11-20240802-en
General
-
Target
gameguard_setup.msi
-
Size
7.7MB
-
MD5
68bd8f9af44479db013a77c806f1c674
-
SHA1
0cbb2b63c78b42e13b1818964bb2cf43e46c5052
-
SHA256
ac9ac5a95273064ba09af8be049124ba52db7a59075d69a94d12427917dbc376
-
SHA512
991f703293b984beeeda44cc72cacc0cd69bd4cb1856b2b1c5cf2a2d06d7f58e8469af70c2ecece05d98643937c52f8a944b9892e2925738457d2ac238867852
-
SSDEEP
196608:mELpCPNYnYCCJLuMo3nmkmKf+GNI1Xjn5CD9ilxw:fLpCVY7CtuMo2kmcNmsiLw
Malware Config
Signatures
-
Blocklisted process makes network request 5 IoCs
Processes:
msiexec.exemsiexec.exeflow pid process 4 1656 msiexec.exe 6 1656 msiexec.exe 8 1656 msiexec.exe 51 3676 msiexec.exe 52 3676 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
acsvc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation acsvc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
gameguard.exegameguard.exepid process 2272 gameguard.exe 2272 gameguard.exe 4908 gameguard.exe 4908 gameguard.exe -
Drops file in Program Files directory 8 IoCs
Processes:
gameguard.exeacsvc.exemsiexec.exedescription ioc process File opened for modification C:\Program Files (x86)\GameGuard\acsvc.exe gameguard.exe File created C:\Program Files (x86)\GameGuard\cache\lwskkl.cache gameguard.exe File created C:\Program Files (x86)\GameGuard\gameguard.exe acsvc.exe File opened for modification C:\Program Files (x86)\GameGuard\gameguard.exe acsvc.exe File created C:\Program Files (x86)\GameGuard\acsvc.exe msiexec.exe File created C:\Program Files (x86)\GameGuard\gameguard.exe msiexec.exe File created C:\Program Files (x86)\GameGuard\cache\sjdgfve.cache gameguard.exe File created C:\Program Files (x86)\GameGuard\acsvc.exe gameguard.exe -
Drops file in Windows directory 10 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\e584a06.msi msiexec.exe File created C:\Windows\Installer\{DB58A440-02BB-433B-AE99-D0B8AF31A839}\icon.ico msiexec.exe File opened for modification C:\Windows\Installer\{DB58A440-02BB-433B-AE99-D0B8AF31A839}\icon.ico msiexec.exe File created C:\Windows\Installer\e584a04.msi msiexec.exe File opened for modification C:\Windows\Installer\e584a04.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\SourceHash{DB58A440-02BB-433B-AE99-D0B8AF31A839} msiexec.exe File opened for modification C:\Windows\Installer\MSI4FB1.tmp msiexec.exe -
Executes dropped EXE 5 IoCs
Processes:
acsvc.exegameguard.exeacsvc.exeacsvc.exegameguard.exepid process 4844 acsvc.exe 2272 gameguard.exe 544 acsvc.exe 4688 acsvc.exe 4908 gameguard.exe -
Loads dropped DLL 1 IoCs
Processes:
MsiExec.exepid process 3512 MsiExec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
gameguard.exeacsvc.exeacsvc.exegameguard.exeMsiExec.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gameguard.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language acsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language acsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gameguard.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000532ba7f3274a467a0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000532ba7f30000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900532ba7f3000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d532ba7f3000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000532ba7f300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe -
Modifies registry class 46 IoCs
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\gameguard\shell\open\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ggac\URL Protocol msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\ProductIcon = "C:\\Windows\\Installer\\{DB58A440-02BB-433B-AE99-D0B8AF31A839}\\icon.ico" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\gameguard msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\shell\open\command\ = "\"C:\\Program Files (x86)\\GameGuard\\\\gameguard.exe\"" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\ggac\DefaultIcon msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\Version = "16777216" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\ = "URL:GameGuard Protocol" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\gameguard\DefaultIcon msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\DefaultIcon\ = "C:\\Program Files (x86)\\GameGuard\\\\gameguard.exe,1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ggac\shell\open\command\ = "\"C:\\Program Files (x86)\\GameGuard\\\\gameguard.exe\"" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\044A85BDBB20B334EA990D8BFA138A93\DesktopShortcutFeature msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\shell\open msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\shell\open\command msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ggac\shell msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ggac\shell\open\command msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\gameguard msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\044A85BDBB20B334EA990D8BFA138A93 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\ProductName = "GameGuard" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\PackageCode = "FCF74D9E87639FE42A3F49F0B413967A" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\PackageName = "gameguard_setup.msi" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\URL Protocol msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\ggac msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\14D8C6FEA992C334C8E1F1E30B83F8E1\044A85BDBB20B334EA990D8BFA138A93 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ggac msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ggac\shell\open msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\044A85BDBB20B334EA990D8BFA138A93\ProductFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\shell msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ggac\ = "URL:GameGuard Protocol" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ggac\DefaultIcon\ = "C:\\Program Files (x86)\\GameGuard\\\\gameguard.exe,1" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\ggac\shell\open\command msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\14D8C6FEA992C334C8E1F1E30B83F8E1 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
msiexec.exegameguard.exegameguard.exepid process 3676 msiexec.exe 3676 msiexec.exe 2272 gameguard.exe 2272 gameguard.exe 2272 gameguard.exe 2272 gameguard.exe 4908 gameguard.exe 4908 gameguard.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 1656 msiexec.exe Token: SeIncreaseQuotaPrivilege 1656 msiexec.exe Token: SeSecurityPrivilege 3676 msiexec.exe Token: SeCreateTokenPrivilege 1656 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1656 msiexec.exe Token: SeLockMemoryPrivilege 1656 msiexec.exe Token: SeIncreaseQuotaPrivilege 1656 msiexec.exe Token: SeMachineAccountPrivilege 1656 msiexec.exe Token: SeTcbPrivilege 1656 msiexec.exe Token: SeSecurityPrivilege 1656 msiexec.exe Token: SeTakeOwnershipPrivilege 1656 msiexec.exe Token: SeLoadDriverPrivilege 1656 msiexec.exe Token: SeSystemProfilePrivilege 1656 msiexec.exe Token: SeSystemtimePrivilege 1656 msiexec.exe Token: SeProfSingleProcessPrivilege 1656 msiexec.exe Token: SeIncBasePriorityPrivilege 1656 msiexec.exe Token: SeCreatePagefilePrivilege 1656 msiexec.exe Token: SeCreatePermanentPrivilege 1656 msiexec.exe Token: SeBackupPrivilege 1656 msiexec.exe Token: SeRestorePrivilege 1656 msiexec.exe Token: SeShutdownPrivilege 1656 msiexec.exe Token: SeDebugPrivilege 1656 msiexec.exe Token: SeAuditPrivilege 1656 msiexec.exe Token: SeSystemEnvironmentPrivilege 1656 msiexec.exe Token: SeChangeNotifyPrivilege 1656 msiexec.exe Token: SeRemoteShutdownPrivilege 1656 msiexec.exe Token: SeUndockPrivilege 1656 msiexec.exe Token: SeSyncAgentPrivilege 1656 msiexec.exe Token: SeEnableDelegationPrivilege 1656 msiexec.exe Token: SeManageVolumePrivilege 1656 msiexec.exe Token: SeImpersonatePrivilege 1656 msiexec.exe Token: SeCreateGlobalPrivilege 1656 msiexec.exe Token: SeBackupPrivilege 3880 vssvc.exe Token: SeRestorePrivilege 3880 vssvc.exe Token: SeAuditPrivilege 3880 vssvc.exe Token: SeBackupPrivilege 3676 msiexec.exe Token: SeRestorePrivilege 3676 msiexec.exe Token: SeRestorePrivilege 3676 msiexec.exe Token: SeTakeOwnershipPrivilege 3676 msiexec.exe Token: SeRestorePrivilege 3676 msiexec.exe Token: SeTakeOwnershipPrivilege 3676 msiexec.exe Token: SeRestorePrivilege 3676 msiexec.exe Token: SeTakeOwnershipPrivilege 3676 msiexec.exe Token: SeRestorePrivilege 3676 msiexec.exe Token: SeTakeOwnershipPrivilege 3676 msiexec.exe Token: SeRestorePrivilege 3676 msiexec.exe Token: SeTakeOwnershipPrivilege 3676 msiexec.exe Token: SeRestorePrivilege 3676 msiexec.exe Token: SeTakeOwnershipPrivilege 3676 msiexec.exe Token: SeRestorePrivilege 3676 msiexec.exe Token: SeTakeOwnershipPrivilege 3676 msiexec.exe Token: SeRestorePrivilege 3676 msiexec.exe Token: SeTakeOwnershipPrivilege 3676 msiexec.exe Token: SeRestorePrivilege 3676 msiexec.exe Token: SeTakeOwnershipPrivilege 3676 msiexec.exe Token: SeRestorePrivilege 3676 msiexec.exe Token: SeTakeOwnershipPrivilege 3676 msiexec.exe Token: SeRestorePrivilege 3676 msiexec.exe Token: SeTakeOwnershipPrivilege 3676 msiexec.exe Token: SeRestorePrivilege 3676 msiexec.exe Token: SeTakeOwnershipPrivilege 3676 msiexec.exe Token: SeRestorePrivilege 3676 msiexec.exe Token: SeTakeOwnershipPrivilege 3676 msiexec.exe Token: SeRestorePrivilege 3676 msiexec.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
msiexec.exegameguard.exepid process 1656 msiexec.exe 1656 msiexec.exe 2272 gameguard.exe 2272 gameguard.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
gameguard.exepid process 2272 gameguard.exe 2272 gameguard.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
msiexec.exeMsiExec.exeacsvc.exeacsvc.exedescription pid process target process PID 3676 wrote to memory of 2520 3676 msiexec.exe srtasks.exe PID 3676 wrote to memory of 2520 3676 msiexec.exe srtasks.exe PID 3676 wrote to memory of 3512 3676 msiexec.exe MsiExec.exe PID 3676 wrote to memory of 3512 3676 msiexec.exe MsiExec.exe PID 3676 wrote to memory of 3512 3676 msiexec.exe MsiExec.exe PID 3512 wrote to memory of 2272 3512 MsiExec.exe gameguard.exe PID 3512 wrote to memory of 2272 3512 MsiExec.exe gameguard.exe PID 3512 wrote to memory of 2272 3512 MsiExec.exe gameguard.exe PID 544 wrote to memory of 4688 544 acsvc.exe acsvc.exe PID 544 wrote to memory of 4688 544 acsvc.exe acsvc.exe PID 544 wrote to memory of 4688 544 acsvc.exe acsvc.exe PID 4688 wrote to memory of 4908 4688 acsvc.exe gameguard.exe PID 4688 wrote to memory of 4908 4688 acsvc.exe gameguard.exe PID 4688 wrote to memory of 4908 4688 acsvc.exe gameguard.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\gameguard_setup.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1656
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:2520
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6DF8E507F029E969EFE3612C5085B179 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Program Files (x86)\GameGuard\gameguard.exe"C:\Program Files (x86)\GameGuard\gameguard.exe"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2272
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3880
-
C:\Program Files (x86)\GameGuard\acsvc.exe"C:\Program Files (x86)\GameGuard\acsvc.exe"1⤵
- Executes dropped EXE
PID:4844
-
C:\Program Files (x86)\GameGuard\acsvc.exe"C:\Program Files (x86)\GameGuard\acsvc.exe"1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Program Files (x86)\GameGuard\acsvc.exe"C:\Program Files (x86)\GameGuard\acsvc.exe" --run="C:\Program Files (x86)\GameGuard\gameguard.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Program Files (x86)\GameGuard\gameguard.exe"C:\Program Files (x86)\GameGuard\gameguard.exe"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4908
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5fe1a169f57ad917c71a240ff99f9b147
SHA1a788c256bc13137cca676c9924b8fae7931557ce
SHA256fa75b9a64531539d72989d4c110867b0a15de9426a0aabb14127aaba466775bc
SHA51258154b4171d066a391120cdfe875f86d09979a86352f2a799fa52dd0f77bca28528ac5edf76981c66133451e3d084dbd938a9aa00c780d228cf15bc101fa3bb8
-
Filesize
316KB
MD57ec55f85dd4740e6f146d3ee54e01201
SHA144fcf3bb83a006ab6ca90d728bec43c031e0cada
SHA2567997c3e9c03c0e91b8b07cb482c97066afdd483d2dbab1f292f749f4fe97e229
SHA5127b6a494b5506e249e67e63c32fe42895227ec53a49f37e9b3884f628fd7bcc29f1f8bf96d616b8b741adc48540fc8eda7e64701a459acb707569bd1e36ee143b
-
Filesize
15.3MB
MD51ac7965867072e615fea1ee20dc2300e
SHA1d175990d7fe808931ee915470b130a2c37283ee8
SHA2560cb8174d1aeb9bb9efa6cca18f09df5941e5f48d23240d207e15a25f20ac70fc
SHA5124bdf16ff4c50d1e04dd4b9fa9cb3949c8a061bc7a2a5d86bc5cff07ad55ccafd5314a36189eb12e9164fc73b46830db5f54f553bb3d5112c0aee5dd22bb0dcf1
-
Filesize
330KB
MD5b966184ae28d7bc96756bc3ed001c701
SHA18c620632624e9bc9b3e7d7a672072bdb6952df87
SHA256f2b6185392b98f27da4a7a8c74b585ae00d6e69bd7f97727dca0953aa3ab0324
SHA5128b9ad0bec94ed9a44a0c8aa8b8ca1b80fc6aecc46a2d74a2eb3830394ece82a77bed121c49ccbc6fb4fb7c05edbc90c17d591c2ee0f88bd3018893bc4cd0e003
-
Filesize
7.2MB
MD581ed38976254bb646c0ecee753324027
SHA1c3fe70f9daff9e66b315b2adc9481a7d39d7e7c6
SHA256cf169e7a746c574f3e2ec653a6739ca71fe0e34aa76f604cd36706fe45536be7
SHA512476a6f9f65857d015661dc8504c537efff00fbd69014ab2e36aeed393b69083962195b3aa6e4485aa46f7471aa59aec21a6e56a687fc6474cc7a62b9c47ca018
-
Filesize
4KB
MD594bf0bf032ce32469dd74f4f1f5320e6
SHA186bff704a2f82816f346a6a374250f35743de3b0
SHA25654f08bfd73dd3477610059c4a1d92723e698def0efa7ad4661584a51d9aab79b
SHA512ac62c42bfe02a35739dfed5df012bb3ef1f7bdbde1f4d9dce9448812bb6d25891dbacc2591e859f644c95151bdb7179f4f8e355b81a2a38ca7afce4980a79901
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_D21903E2722B551F252C717985D24037
Filesize1KB
MD5004eba2a24fda787318ce19fec383d25
SHA1f9e5b03ce43664c60c7937c8998d4c12165af3ca
SHA256ed5bd4c2310d2d1ce382a7b847ae6468a93b019a41004820e6ce2cf75f0f8a2e
SHA512fb14058d341c5d5a426a73b43f9ccf1781197972969fbf3d82b4928c14d9181a090f11d073cdd8d0eb78ab1766fa815f62fc5c5cb30bab0dcf95ab1fc7a8f4f0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DF8D319B9741B9E1EBE906AACEA5CBBA_750FF3DD16195A328CB56C56AF693E3C
Filesize5B
MD55bfa51f3a417b98e7443eca90fc94703
SHA18c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA5124cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\60B3F7207DEB992031C120EB71F562CD
Filesize222B
MD520e3f77990ae11487f724aa97c84b0b1
SHA1f76372871ccd50976eaaa17a7a18306118dd5147
SHA2565f8915c289bcd32eff8f7a447f78d72d5a8754533e332cae48e64b6f8f2069ee
SHA512b9beb5db4e4a2974604493c9082a0e89f4b03002c37b4b0504828c85b6c128abc5635215df7ce8cdcdd148f44a0896b145e07bad3e1221f73e16e0b70ac8e245
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_D21903E2722B551F252C717985D24037
Filesize498B
MD5b5845676e8717eadb3f705f41b197c03
SHA12a3e7b1805bd0c33eb80df8b6ba9b24383fb869a
SHA256f11fafbc9de8bbf474229188ac9abe5ab364ff3efe14ddb61fea629fe98012f3
SHA512a9f91ed29979a52e52f0ee9098321feb29978edf109bd8f37f78a58e70f3454a1aa3671ad39718ccbeca3db631fd5d8754b3f6b5e9246946d54d47eca8d5c38c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DF8D319B9741B9E1EBE906AACEA5CBBA_750FF3DD16195A328CB56C56AF693E3C
Filesize448B
MD5492539486c92666f6537454eb644af2d
SHA1cc4937eaf714f50d90dc7a809bed497a397a23d4
SHA2566742bbaf08b9a87308956698b5a2170f41b4ce56734c309d8701bcca1e963bd4
SHA512b7381925a61b7be3c5e388dfd229001436172943459c92ba399ad03cf7cecc87f5413df6754051dc5d4c51ddaac56721ce74f6fb736d7edad27664de50e7c1ab
-
Filesize
202KB
MD5d773d9bd091e712df7560f576da53de8
SHA1165cfbdce1811883360112441f7237b287cf0691
SHA256e0db1804cf53ed4819ed70cb35c67680ce1a77573efded86e6dac81010ce55e7
SHA51215a956090f8756a6bfdbe191fda36739b1107eada62c6cd3058218beb417bdbd2ea82be9b055f7f6eb8017394b330daff2e9824dbc9c4f137bead8e2ac0574cd
-
Filesize
7.7MB
MD568bd8f9af44479db013a77c806f1c674
SHA10cbb2b63c78b42e13b1818964bb2cf43e46c5052
SHA256ac9ac5a95273064ba09af8be049124ba52db7a59075d69a94d12427917dbc376
SHA512991f703293b984beeeda44cc72cacc0cd69bd4cb1856b2b1c5cf2a2d06d7f58e8469af70c2ecece05d98643937c52f8a944b9892e2925738457d2ac238867852
-
Filesize
23.7MB
MD5f9e316c81c516855f495d13cac055cba
SHA16e90625f146310814bfb706af6b6e669ca98b6b4
SHA25691d5dd3a3b4b65e39e617cb597075f72219a82874737786e27c1d0eaf183e00d
SHA5122a6ddeca10c5f61f2c9a1eba264ec74e713c839623270ba63e4d87b1273326da507ac7ed7686a05fd85779dc593b279ab1375e722500d96530f8a46342e98d80
-
\??\Volume{f3a72b53-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1667d4e1-7525-4eed-a9a8-0249fea2fd66}_OnDiskSnapshotProp
Filesize6KB
MD54c32fdb50c138e3cbc31eb26a246d0e0
SHA1c6d60597c502dbb8a7d578ff623d9f37365b31f2
SHA25683f917a610881d7e434eee5aa7a08b7df43477e2108bf8cb67f4cd6561068b6b
SHA512146d941d21267be0def4fdc895db31a5f92f10c4a938e8c8cfa41498919dba93bcb09c0a77d8d32eae26d87f9cc9c639081269ec59672a0014c0e0a97198c9ba