Analysis
-
max time kernel
120s -
max time network
130s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
21-09-2024 14:34
Static task
static1
Behavioral task
behavioral1
Sample
gameguard_setup.msi
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
gameguard_setup.msi
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
gameguard_setup.msi
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
gameguard_setup.msi
Resource
win11-20240802-en
General
-
Target
gameguard_setup.msi
-
Size
7.7MB
-
MD5
68bd8f9af44479db013a77c806f1c674
-
SHA1
0cbb2b63c78b42e13b1818964bb2cf43e46c5052
-
SHA256
ac9ac5a95273064ba09af8be049124ba52db7a59075d69a94d12427917dbc376
-
SHA512
991f703293b984beeeda44cc72cacc0cd69bd4cb1856b2b1c5cf2a2d06d7f58e8469af70c2ecece05d98643937c52f8a944b9892e2925738457d2ac238867852
-
SSDEEP
196608:mELpCPNYnYCCJLuMo3nmkmKf+GNI1Xjn5CD9ilxw:fLpCVY7CtuMo2kmcNmsiLw
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
gguard.exedescription ioc process File created C:\Windows\system32\drivers\acdrv.sys gguard.exe -
Blocklisted process makes network request 5 IoCs
Processes:
msiexec.exemsiexec.exeflow pid process 2 2120 msiexec.exe 3 2120 msiexec.exe 4 2120 msiexec.exe 7 960 msiexec.exe 8 960 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
gameguard.exegameguard.exegguard.exeggvolehn.exepid process 2044 gameguard.exe 2044 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 1072 gguard.exe 1072 gguard.exe 1776 ggvolehn.exe 1776 ggvolehn.exe -
Drops file in Program Files directory 16 IoCs
Processes:
gameguard.exegameguard.exeacsvc.exemsiexec.exegguard.exedescription ioc process File created C:\Program Files (x86)\GameGuard\steam_api.dll gameguard.exe File created C:\Program Files (x86)\GameGuard\acsvc.exe gameguard.exe File created C:\Program Files (x86)\GameGuard\cache\qfprmqhf.cache gameguard.exe File created C:\Program Files (x86)\GameGuard\gameguard.exe acsvc.exe File opened for modification C:\Program Files (x86)\GameGuard\gameguard.exe acsvc.exe File created C:\Program Files (x86)\GameGuard\cache\tckkrthh.cache gameguard.exe File created C:\Program Files (x86)\GameGuard\gguard.exe gameguard.exe File created C:\Program Files (x86)\GameGuard\gameguard.exe msiexec.exe File created C:\Program Files (x86)\GameGuard\cache\rpgkfav.cache gameguard.exe File created C:\Program Files (x86)\GameGuard\steam_appid.txt gameguard.exe File created C:\Program Files (x86)\GameGuard\launcher_x64 gameguard.exe File created C:\Program Files (x86)\GameGuard\acsvc.exe msiexec.exe File opened for modification C:\Program Files (x86)\GameGuard\acsvc.exe gameguard.exe File created C:\Program Files (x86)\GameGuard\ggvolehn.exe gguard.exe File created C:\Program Files (x86)\GameGuard\cache\lvioolry.cache gameguard.exe File created C:\Program Files (x86)\GameGuard\cache\ndcfdc.cache gameguard.exe -
Drops file in Windows directory 14 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\SystemTemp\~DFB80C05DAE92EE5FB.TMP msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\SystemTemp\~DF905C4EAE3DC46C14.TMP msiexec.exe File created C:\Windows\SystemTemp\~DF758F6BDAA6B477D7.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI7E05.tmp msiexec.exe File created C:\Windows\Installer\{DB58A440-02BB-433B-AE99-D0B8AF31A839}\icon.ico msiexec.exe File created C:\Windows\SystemTemp\~DFBC95AA2D6DD77113.TMP msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\SourceHash{DB58A440-02BB-433B-AE99-D0B8AF31A839} msiexec.exe File opened for modification C:\Windows\Installer\{DB58A440-02BB-433B-AE99-D0B8AF31A839}\icon.ico msiexec.exe File created C:\Windows\Installer\e587339.msi msiexec.exe File created C:\Windows\Installer\e587337.msi msiexec.exe File opened for modification C:\Windows\Installer\e587337.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Executes dropped EXE 7 IoCs
Processes:
acsvc.exegameguard.exeacsvc.exeacsvc.exegameguard.exegguard.exeggvolehn.exepid process 2076 acsvc.exe 2044 gameguard.exe 4712 acsvc.exe 3428 acsvc.exe 4636 gameguard.exe 1072 gguard.exe 1776 ggvolehn.exe -
Loads dropped DLL 2 IoCs
Processes:
MsiExec.exegguard.exepid process 2020 MsiExec.exe 1072 gguard.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4948 1776 WerFault.exe ggvolehn.exe 1160 1776 WerFault.exe ggvolehn.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
acsvc.exeacsvc.exegameguard.exegguard.exeggvolehn.exeMsiExec.exegameguard.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language acsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language acsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gameguard.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gguard.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ggvolehn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gameguard.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b63f186ec435d5ff0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b63f186e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b63f186e000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db63f186e000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b63f186e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
msiexec.exedescription ioc process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe -
Modifies registry class 46 IoCs
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\shell\open\command\ = "\"C:\\Program Files (x86)\\GameGuard\\\\gameguard.exe\"" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\044A85BDBB20B334EA990D8BFA138A93\ProductFeature msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\gameguard\shell\open\command msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\shell\open msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\044A85BDBB20B334EA990D8BFA138A93 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\Version = "16777216" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\ProductIcon = "C:\\Windows\\Installer\\{DB58A440-02BB-433B-AE99-D0B8AF31A839}\\icon.ico" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\gameguard msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\ggac\DefaultIcon msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\14D8C6FEA992C334C8E1F1E30B83F8E1 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\14D8C6FEA992C334C8E1F1E30B83F8E1\044A85BDBB20B334EA990D8BFA138A93 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\PackageName = "gameguard_setup.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\URL Protocol msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ggac\shell\open msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\044A85BDBB20B334EA990D8BFA138A93\DesktopShortcutFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\gameguard\DefaultIcon msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ggac\ = "URL:GameGuard Protocol" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ggac\URL Protocol msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ggac\DefaultIcon\ = "C:\\Program Files (x86)\\GameGuard\\\\gameguard.exe,1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\Media\1 = ";" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\gameguard msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\shell\open\command msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\ggac msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ggac msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ggac\shell\open\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\DefaultIcon\ = "C:\\Program Files (x86)\\GameGuard\\\\gameguard.exe,1" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\ggac\shell\open\command msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\PackageCode = "FCF74D9E87639FE42A3F49F0B413967A" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\DeploymentFlags = "3" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\ = "URL:GameGuard Protocol" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\shell msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ggac\shell msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ggac\shell\open\command\ = "\"C:\\Program Files (x86)\\GameGuard\\\\gameguard.exe\"" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\ProductName = "GameGuard" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exegameguard.exegameguard.exegguard.exeggvolehn.exepid process 960 msiexec.exe 960 msiexec.exe 2044 gameguard.exe 2044 gameguard.exe 2044 gameguard.exe 2044 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 1072 gguard.exe 1072 gguard.exe 1072 gguard.exe 1072 gguard.exe 1776 ggvolehn.exe 1776 ggvolehn.exe 1072 gguard.exe 1072 gguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe 4636 gameguard.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 684 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 2120 msiexec.exe Token: SeIncreaseQuotaPrivilege 2120 msiexec.exe Token: SeSecurityPrivilege 960 msiexec.exe Token: SeCreateTokenPrivilege 2120 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2120 msiexec.exe Token: SeLockMemoryPrivilege 2120 msiexec.exe Token: SeIncreaseQuotaPrivilege 2120 msiexec.exe Token: SeMachineAccountPrivilege 2120 msiexec.exe Token: SeTcbPrivilege 2120 msiexec.exe Token: SeSecurityPrivilege 2120 msiexec.exe Token: SeTakeOwnershipPrivilege 2120 msiexec.exe Token: SeLoadDriverPrivilege 2120 msiexec.exe Token: SeSystemProfilePrivilege 2120 msiexec.exe Token: SeSystemtimePrivilege 2120 msiexec.exe Token: SeProfSingleProcessPrivilege 2120 msiexec.exe Token: SeIncBasePriorityPrivilege 2120 msiexec.exe Token: SeCreatePagefilePrivilege 2120 msiexec.exe Token: SeCreatePermanentPrivilege 2120 msiexec.exe Token: SeBackupPrivilege 2120 msiexec.exe Token: SeRestorePrivilege 2120 msiexec.exe Token: SeShutdownPrivilege 2120 msiexec.exe Token: SeDebugPrivilege 2120 msiexec.exe Token: SeAuditPrivilege 2120 msiexec.exe Token: SeSystemEnvironmentPrivilege 2120 msiexec.exe Token: SeChangeNotifyPrivilege 2120 msiexec.exe Token: SeRemoteShutdownPrivilege 2120 msiexec.exe Token: SeUndockPrivilege 2120 msiexec.exe Token: SeSyncAgentPrivilege 2120 msiexec.exe Token: SeEnableDelegationPrivilege 2120 msiexec.exe Token: SeManageVolumePrivilege 2120 msiexec.exe Token: SeImpersonatePrivilege 2120 msiexec.exe Token: SeCreateGlobalPrivilege 2120 msiexec.exe Token: SeBackupPrivilege 244 vssvc.exe Token: SeRestorePrivilege 244 vssvc.exe Token: SeAuditPrivilege 244 vssvc.exe Token: SeBackupPrivilege 960 msiexec.exe Token: SeRestorePrivilege 960 msiexec.exe Token: SeRestorePrivilege 960 msiexec.exe Token: SeTakeOwnershipPrivilege 960 msiexec.exe Token: SeRestorePrivilege 960 msiexec.exe Token: SeTakeOwnershipPrivilege 960 msiexec.exe Token: SeRestorePrivilege 960 msiexec.exe Token: SeTakeOwnershipPrivilege 960 msiexec.exe Token: SeRestorePrivilege 960 msiexec.exe Token: SeTakeOwnershipPrivilege 960 msiexec.exe Token: SeRestorePrivilege 960 msiexec.exe Token: SeTakeOwnershipPrivilege 960 msiexec.exe Token: SeRestorePrivilege 960 msiexec.exe Token: SeTakeOwnershipPrivilege 960 msiexec.exe Token: SeRestorePrivilege 960 msiexec.exe Token: SeTakeOwnershipPrivilege 960 msiexec.exe Token: SeRestorePrivilege 960 msiexec.exe Token: SeTakeOwnershipPrivilege 960 msiexec.exe Token: SeRestorePrivilege 960 msiexec.exe Token: SeTakeOwnershipPrivilege 960 msiexec.exe Token: SeRestorePrivilege 960 msiexec.exe Token: SeTakeOwnershipPrivilege 960 msiexec.exe Token: SeRestorePrivilege 960 msiexec.exe Token: SeTakeOwnershipPrivilege 960 msiexec.exe Token: SeRestorePrivilege 960 msiexec.exe Token: SeTakeOwnershipPrivilege 960 msiexec.exe Token: SeRestorePrivilege 960 msiexec.exe Token: SeTakeOwnershipPrivilege 960 msiexec.exe Token: SeRestorePrivilege 960 msiexec.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
msiexec.exegameguard.exeggvolehn.exepid process 2120 msiexec.exe 2120 msiexec.exe 2044 gameguard.exe 2044 gameguard.exe 1776 ggvolehn.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
gameguard.exeggvolehn.exepid process 2044 gameguard.exe 2044 gameguard.exe 1776 ggvolehn.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ggvolehn.exepid process 1776 ggvolehn.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
msiexec.exeMsiExec.exeacsvc.exeacsvc.exegameguard.exegguard.exedescription pid process target process PID 960 wrote to memory of 4876 960 msiexec.exe srtasks.exe PID 960 wrote to memory of 4876 960 msiexec.exe srtasks.exe PID 960 wrote to memory of 2020 960 msiexec.exe MsiExec.exe PID 960 wrote to memory of 2020 960 msiexec.exe MsiExec.exe PID 960 wrote to memory of 2020 960 msiexec.exe MsiExec.exe PID 2020 wrote to memory of 2044 2020 MsiExec.exe gameguard.exe PID 2020 wrote to memory of 2044 2020 MsiExec.exe gameguard.exe PID 2020 wrote to memory of 2044 2020 MsiExec.exe gameguard.exe PID 4712 wrote to memory of 3428 4712 acsvc.exe acsvc.exe PID 4712 wrote to memory of 3428 4712 acsvc.exe acsvc.exe PID 4712 wrote to memory of 3428 4712 acsvc.exe acsvc.exe PID 3428 wrote to memory of 4636 3428 acsvc.exe gameguard.exe PID 3428 wrote to memory of 4636 3428 acsvc.exe gameguard.exe PID 3428 wrote to memory of 4636 3428 acsvc.exe gameguard.exe PID 4636 wrote to memory of 1072 4636 gameguard.exe gguard.exe PID 4636 wrote to memory of 1072 4636 gameguard.exe gguard.exe PID 4636 wrote to memory of 1072 4636 gameguard.exe gguard.exe PID 1072 wrote to memory of 1776 1072 gguard.exe ggvolehn.exe PID 1072 wrote to memory of 1776 1072 gguard.exe ggvolehn.exe PID 1072 wrote to memory of 1776 1072 gguard.exe ggvolehn.exe PID 1072 wrote to memory of 5024 1072 gguard.exe verifier.exe PID 1072 wrote to memory of 5024 1072 gguard.exe verifier.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\gameguard_setup.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2120
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4876
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 840CFDCF7C425ED9AF4A12BB119C8966 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Program Files (x86)\GameGuard\gameguard.exe"C:\Program Files (x86)\GameGuard\gameguard.exe"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2044
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:244
-
C:\Program Files (x86)\GameGuard\acsvc.exe"C:\Program Files (x86)\GameGuard\acsvc.exe"1⤵
- Executes dropped EXE
PID:2076
-
C:\Program Files (x86)\GameGuard\acsvc.exe"C:\Program Files (x86)\GameGuard\acsvc.exe"1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Program Files (x86)\GameGuard\acsvc.exe"C:\Program Files (x86)\GameGuard\acsvc.exe" --run="C:\Program Files (x86)\GameGuard\gameguard.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Program Files (x86)\GameGuard\gameguard.exe"C:\Program Files (x86)\GameGuard\gameguard.exe"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Program Files (x86)\GameGuard\gguard.exe".\gguard.exe"4⤵
- Drops file in Drivers directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Program Files (x86)\GameGuard\ggvolehn.exe"C:\Program Files (x86)\GameGuard\ggvolehn.exe"5⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1776 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 9646⤵
- Program crash
PID:4948 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 9646⤵
- Program crash
PID:1160 -
C:\Windows\system32\verifier.exeC:\Windows\system32\verifier.exe /volatile /removedriver acdrv.sys5⤵PID:5024
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1776 -ip 17761⤵PID:4620
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1776 -ip 17761⤵PID:1696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5e1facb9eecf6fb992ce0517b4d9def1f
SHA18a5aa41a852526b427c19ad577f09ff0eab843b0
SHA256eb4bc32f416299ce593d849bd023e266d26f0821c448834a16d95485e6d2cf09
SHA51281132a29e9d0eb8c259a91f1f59572b4a7a76018d63738e03e9ffc829e0e61673ea9bda737a9705595c66d032a55634d6f3aa8fea3818d0fcf2d5714b3b0af62
-
Filesize
316KB
MD57ec55f85dd4740e6f146d3ee54e01201
SHA144fcf3bb83a006ab6ca90d728bec43c031e0cada
SHA2567997c3e9c03c0e91b8b07cb482c97066afdd483d2dbab1f292f749f4fe97e229
SHA5127b6a494b5506e249e67e63c32fe42895227ec53a49f37e9b3884f628fd7bcc29f1f8bf96d616b8b741adc48540fc8eda7e64701a459acb707569bd1e36ee143b
-
Filesize
330KB
MD5b966184ae28d7bc96756bc3ed001c701
SHA18c620632624e9bc9b3e7d7a672072bdb6952df87
SHA256f2b6185392b98f27da4a7a8c74b585ae00d6e69bd7f97727dca0953aa3ab0324
SHA5128b9ad0bec94ed9a44a0c8aa8b8ca1b80fc6aecc46a2d74a2eb3830394ece82a77bed121c49ccbc6fb4fb7c05edbc90c17d591c2ee0f88bd3018893bc4cd0e003
-
Filesize
15.3MB
MD51ac7965867072e615fea1ee20dc2300e
SHA1d175990d7fe808931ee915470b130a2c37283ee8
SHA2560cb8174d1aeb9bb9efa6cca18f09df5941e5f48d23240d207e15a25f20ac70fc
SHA5124bdf16ff4c50d1e04dd4b9fa9cb3949c8a061bc7a2a5d86bc5cff07ad55ccafd5314a36189eb12e9164fc73b46830db5f54f553bb3d5112c0aee5dd22bb0dcf1
-
Filesize
7.2MB
MD581ed38976254bb646c0ecee753324027
SHA1c3fe70f9daff9e66b315b2adc9481a7d39d7e7c6
SHA256cf169e7a746c574f3e2ec653a6739ca71fe0e34aa76f604cd36706fe45536be7
SHA512476a6f9f65857d015661dc8504c537efff00fbd69014ab2e36aeed393b69083962195b3aa6e4485aa46f7471aa59aec21a6e56a687fc6474cc7a62b9c47ca018
-
Filesize
41.9MB
MD56b6d7a19c765cfb9021d6fbc3a4ff6ff
SHA1c23923025df7d0b7bc947659b78de99a94c62c71
SHA256b5ea882518b27ab7499d285f0516c1bbf435190d7d55b3835e787b6d62ec3894
SHA512addc8ef031b2725f07667703e2d69c7cd167f3e50b5070a356fdcf7846514ec4610d47b350eb29d4df7aa75808bf03ff5186f3112f2063ab56988c4f199cb8b3
-
Filesize
16.9MB
MD5d274658c7293070e421e9c441ab0e9b4
SHA1103ac0fda11316ca57d6df6647eeebd02506f281
SHA2568af22f3de2117b3a7681e2136b2a931bdb97c20e883a86554a40c8ae46bc361f
SHA5128b55958e22088ea8f9d318a832f40ef154efc0805a9c32584fc7e625d2804e4b2dc0ef325d9d815e84b98730e096b921613dea1f08e8cf54032d500a69c6261d
-
Filesize
258KB
MD55be6351ea71a94ca4334f3211f5eb609
SHA11a5a83bebedcb499128219805296f042e5b9d159
SHA2568d36de57cc6436f4e82ee672023f17a7f83a7a55af558582c2c139f83fb33ed0
SHA512f61cab57849d12e9e0a26e73d20fda28085aff2e1a619501d25f9736ff455444a5d05d722ca32bb2356d5b209e29982ab93fd4e6b84acf4cb4b3ab5474d01655
-
Filesize
4KB
MD594bf0bf032ce32469dd74f4f1f5320e6
SHA186bff704a2f82816f346a6a374250f35743de3b0
SHA25654f08bfd73dd3477610059c4a1d92723e698def0efa7ad4661584a51d9aab79b
SHA512ac62c42bfe02a35739dfed5df012bb3ef1f7bdbde1f4d9dce9448812bb6d25891dbacc2591e859f644c95151bdb7179f4f8e355b81a2a38ca7afce4980a79901
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_D21903E2722B551F252C717985D24037
Filesize1KB
MD5004eba2a24fda787318ce19fec383d25
SHA1f9e5b03ce43664c60c7937c8998d4c12165af3ca
SHA256ed5bd4c2310d2d1ce382a7b847ae6468a93b019a41004820e6ce2cf75f0f8a2e
SHA512fb14058d341c5d5a426a73b43f9ccf1781197972969fbf3d82b4928c14d9181a090f11d073cdd8d0eb78ab1766fa815f62fc5c5cb30bab0dcf95ab1fc7a8f4f0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DF8D319B9741B9E1EBE906AACEA5CBBA_750FF3DD16195A328CB56C56AF693E3C
Filesize5B
MD55bfa51f3a417b98e7443eca90fc94703
SHA18c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA5124cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\60B3F7207DEB992031C120EB71F562CD
Filesize222B
MD5ef981cb3dc58932f435cc1e7fdf01be9
SHA138b2f1d0e8c1cf1f76ba92989a899d2f60678622
SHA256fba157d330d1c9abf3aa613a1012052b63642422f84bb046601ded4d09262ad1
SHA51252120e8feddf35463638060517cbba96ca36f7f1f1e51118a95b130c5ce8f056b10b39c8e3b4e39ff52b58e885b6ac852cd635fb1667e82f3ec3c631a4427a83
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_D21903E2722B551F252C717985D24037
Filesize498B
MD5f0a28d74b8aac0ce127ad06fe64160f0
SHA1b8c4779c724d9a4aa4c09219dc5e3d5eec4ee1df
SHA2560b165452fcf2294867fba8b78e2f1e29145dc18592f11cede73be37d34b40d4c
SHA5125fdcde4aa165a3db93514cd06731cb61ac78057e9c3df739f6fadb00f353e2ec619a0898cd8d1288c9d95e86ef9aeff7719890eb83da6c66d0a1007759bcfc8c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DF8D319B9741B9E1EBE906AACEA5CBBA_750FF3DD16195A328CB56C56AF693E3C
Filesize448B
MD5393d55016bb9f82cbfdc09af7635af59
SHA14d278401d005da5fd89570293665fdda2e969d30
SHA256f61429b838ab4d5e30b33b89f6c28e63ec74bf52fb432ccb782a6525502296a9
SHA512b3702af347ae0b0bd3503d15ece014bdefa1a1cbcbb74211da6edaa18701e2e1bfad06e853ec29edda9a45ea81b1fd54f9b0a4e3db6948be57ee5265f7b7d8fe
-
Filesize
202KB
MD5d773d9bd091e712df7560f576da53de8
SHA1165cfbdce1811883360112441f7237b287cf0691
SHA256e0db1804cf53ed4819ed70cb35c67680ce1a77573efded86e6dac81010ce55e7
SHA51215a956090f8756a6bfdbe191fda36739b1107eada62c6cd3058218beb417bdbd2ea82be9b055f7f6eb8017394b330daff2e9824dbc9c4f137bead8e2ac0574cd
-
Filesize
7.7MB
MD568bd8f9af44479db013a77c806f1c674
SHA10cbb2b63c78b42e13b1818964bb2cf43e46c5052
SHA256ac9ac5a95273064ba09af8be049124ba52db7a59075d69a94d12427917dbc376
SHA512991f703293b984beeeda44cc72cacc0cd69bd4cb1856b2b1c5cf2a2d06d7f58e8469af70c2ecece05d98643937c52f8a944b9892e2925738457d2ac238867852
-
Filesize
12.8MB
MD546a5f1af1f480b40dd0963c46b222e67
SHA1e7211266074f8c344e48b2e80ceac696d56a04e1
SHA256ea376da2f019f259399fc1ae9668ae8bd98f5115976b983802ce1b8f03c85305
SHA5123416a9b79417ba0e004a980d8aad149f66826174de404268afe1118266f0a8aeae6e899e9bcf5a6171037c1e001341f93aece875e026e36b2a295f511a4be8b6
-
\??\Volume{6e183fb6-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d5eb37c8-f4f4-4e74-b193-83822a8ec4cd}_OnDiskSnapshotProp
Filesize6KB
MD5f285a5852f2ecf948d330b9778235712
SHA16d281a129632d12207525a623c36e5aa8155d226
SHA256436fa4e7e605f329aebb460e95d4e0beac77fc434e4612a14f2967d25c7a5030
SHA512916b702e977851b4cf8d20a30c2af0bd5f922882007cb6f89b322e314c47f1ec19d0783d6b8015b68fb15f00e07bed011a7e853695f61bab7269c0bb1da5da5b