hxxps://drive[.]google[.]com/file/d/1czRk-7piQ98zuzg43Ajqk3W03gwWjP3I/view?usp=sharing

Analysis

max time kernel
194s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2024 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1czRk-7piQ98zuzg43Ajqk3W03gwWjP3I/view?usp=sharing

Score

7^/10

discovery execution

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Keygen.exe

Executes dropped EXE 6 IoCs

pid	Process
4228	Keygen.exe
2716	CB_KG.exe
3584	EngineSetup.exe
1696	ChessBaseFontSetup.exe
2072	ChessBaseAdminTool.exe
4892	CBase17.exe

Loads dropped DLL 44 IoCs

pid	Process
3308	MsiExec.exe
3308	MsiExec.exe
3308	MsiExec.exe
1696	ChessBaseFontSetup.exe
1696	ChessBaseFontSetup.exe
1696	ChessBaseFontSetup.exe
1696	ChessBaseFontSetup.exe
1696	ChessBaseFontSetup.exe
1696	ChessBaseFontSetup.exe
1696	ChessBaseFontSetup.exe
1696	ChessBaseFontSetup.exe
1696	ChessBaseFontSetup.exe
1696	ChessBaseFontSetup.exe
1696	ChessBaseFontSetup.exe
1696	ChessBaseFontSetup.exe
1696	ChessBaseFontSetup.exe
2072	ChessBaseAdminTool.exe
2072	ChessBaseAdminTool.exe
2072	ChessBaseAdminTool.exe
2072	ChessBaseAdminTool.exe
2072	ChessBaseAdminTool.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
122	2732	msiexec.exe
124	2732	msiexec.exe
126	2732	msiexec.exe
129	2732	msiexec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	CBase17.exe
File opened (read-only)	\??\Z:	CBase17.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	CBase17.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	CBase17.exe
File opened (read-only)	\??\I:	CBase17.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	CBase17.exe
File opened (read-only)	\??\Y:	CBase17.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	CBase17.exe
File opened (read-only)	\??\V:	CBase17.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	CBase17.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	CBase17.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	CBase17.exe
File opened (read-only)	\??\K:	CBase17.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	CBase17.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Q:	CBase17.exe
File opened (read-only)	\??\T:	CBase17.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\U:	CBase17.exe
File opened (read-only)	\??\X:	CBase17.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	CBase17.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	CBase17.exe
File opened (read-only)	\??\N:	CBase17.exe
File opened (read-only)	\??\W:	CBase17.exe
File opened (read-only)	\??\S:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	drive.google.com
5	drive.google.com

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcamp140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\system32\concrt140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\vcomp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File created	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File created	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\system32\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcamp140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File created	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140u.dll	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2072	ChessBaseAdminTool.exe
4892	CBase17.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\ChessBase\CBase17\Ribbons\Galleries\Board2DTables\BlueMarble.bmp	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Flags\32\OPEC.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Ribbons\Small\PlayerRating16.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Sprites\Engine\Hint_On_Hover.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Flags\16\Hungary.png	msiexec.exe
File created	C:\Program Files\ChessBase\Sounds\English\Draw.mp3	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Flags\48\Gambia.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Flags\32\North Korea.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Ribbons\Galleries\Board3D\Chrome120.bmp	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Flags\16\Portugal.png	msiexec.exe
File created	C:\Program Files\ChessBase\3D11\Material\Modern\Standard\Sounds3D\CAPTURE.mp3	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Flags\16\Botswana.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Flags\32\Togo.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Flags\24\American Samoa.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Flags\64\Belgium.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Flags\64\Ethiopia.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Flags\48\Puerto Rico.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Flags\128\Red Cross.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Flags\24\Sweden.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Flags\128\Denmark.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Flags\24\NATO.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Ribbons\Large\PrepareWhite32.png	msiexec.exe
File created	C:\Program Files\ChessBase\Sounds\Board\Engine\Sewing.mp3	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Flags\48\Lithuania.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Ribbons\Small\startsearch16.png	msiexec.exe
File created	C:\Program Files\ChessBase\3D11\Material\Modern\Standard\bbishop.cbx	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Flags\16\Central African Republic.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Flags\16\Chad.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\DBSymbols\DBType_Women.ico	msiexec.exe
File created	C:\Program Files\ChessBase\Raytracer\Material\Glass\Standard\bking.cbx	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Flags\24\Albania.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Flags\16\American Samoa.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Flags\128\Colombia.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Ribbons\Large\Forward32.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Ribbons\Small\LetsCheckAnalyse16.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Flags\64\Macedonia.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Flags\16\Iceland.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Flags\48\Mauritania.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Ribbons\Small\SimulPass16.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Flags\32\Yemen.png	msiexec.exe
File created	C:\Program Files\ChessBase\Raytracer\Material\TallMarble\Standard\brook.obj	msiexec.exe
File created	C:\Program Files\ChessBase\3D11\Material\Wood\Standard\Sounds3D\NEWGAME.mp3	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Flags\24\Estonia.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Flags\48\United Arab Emirates.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Flags\32\Belarus.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Ribbons\Small\Eagle16.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Ribbons\Large\eps-datenbanken32.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Flags\128\Eritrea.png	msiexec.exe
File created	C:\Program Files\ChessBase\3D11\Material\Modern\Standard\wbishop.cbx	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Flags\24\Ecuador.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Flags\16\El Salvador.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Ribbons\Small\TopState16.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Flags\16\United Kingdom(Great Britain).png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Ribbons\Small\ChallengePlayer16.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Ribbons\Small\CopyGameAlt16.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Flags\48\Mauritius.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Ribbons\Large\MonteCarlo32.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Flags\64\Peru.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Ribbons\Large\ReorgDB32.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Flags\48\Rwanda.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Ribbons\Small\BetMove16.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Bitmaps\Flags\128\Kenya.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Ribbons\Small\Underline16.png	msiexec.exe
File created	C:\Program Files\ChessBase\CBase17\Ribbons\Large\PrintNotation32.png	msiexec.exe

Drops file in Windows directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Fonts\DiaTTOld.ttf	ChessBaseFontSetup.exe
File created	C:\Windows\Fonts\Diablindblk.ttf	ChessBaseFontSetup.exe
File created	C:\Windows\Fonts\Diablindall.ttf	ChessBaseFontSetup.exe
File created	C:\Windows\Fonts\SpTmFgBI.ttf	ChessBaseFontSetup.exe
File created	C:\Windows\Fonts\SpTmFgBd.ttf	ChessBaseFontSetup.exe
File created	C:\Windows\Fonts\DiaTTHab.ttf	ChessBaseFontSetup.exe
File created	C:\Windows\Fonts\DiaTTUSA.ttf	ChessBaseFontSetup.exe
File created	C:\Windows\Fonts\DiaTTSmooth.ttf	ChessBaseFontSetup.exe
File opened for modification	C:\Windows\Installer\MSI92EF.tmp	msiexec.exe
File created	C:\Windows\Fonts\SpArFgBd.ttf	ChessBaseFontSetup.exe
File created	C:\Windows\Fonts\SpLtFgIt.ttf	ChessBaseFontSetup.exe
File created	C:\Windows\Fonts\Schach.otf	ChessBaseFontSetup.exe
File opened for modification	C:\Windows\Installer\e598a45.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D83A251F-707C-424A-B2B6-349E467D8CCF}	msiexec.exe
File created	C:\Windows\Fonts\SpTmFgRg.ttf	ChessBaseFontSetup.exe
File created	C:\Windows\Fonts\SpTmFgIt.ttf	ChessBaseFontSetup.exe
File created	C:\Windows\Fonts\CBArialLinkItalic.ttf	ChessBaseFontSetup.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Fonts\SpArFgIt.ttf	ChessBaseFontSetup.exe
File created	C:\Windows\Fonts\DiaTTFri.ttf	ChessBaseFontSetup.exe
File created	C:\Windows\Installer\e598a45.msi	msiexec.exe
File created	C:\Windows\Installer\{D83A251F-707C-424A-B2B6-349E467D8CCF}\Shortcut.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\{D83A251F-707C-424A-B2B6-349E467D8CCF}\Shortcut.ico	msiexec.exe
File created	C:\Windows\Fonts\SpLtFgRg.ttf	ChessBaseFontSetup.exe
File created	C:\Windows\Fonts\SpLtFgBd.ttf	ChessBaseFontSetup.exe
File created	C:\Windows\Fonts\SpArFgBI.ttf	ChessBaseFontSetup.exe
File created	C:\Windows\Fonts\DiaTTCry.ttf	ChessBaseFontSetup.exe
File created	C:\Windows\Fonts\Diablindwht.ttf	ChessBaseFontSetup.exe
File created	C:\Windows\Fonts\CBArialLink.ttf	ChessBaseFontSetup.exe
File created	C:\Windows\Fonts\CBArialLinkBold.ttf	ChessBaseFontSetup.exe
File created	C:\Windows\Installer\e598a61.msi	msiexec.exe
File created	C:\Windows\Fonts\SpArFgRg.ttf	ChessBaseFontSetup.exe
File created	C:\Windows\Fonts\SpLtFgBI.ttf	ChessBaseFontSetup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4480	Powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CB_KG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EngineSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ChessBaseFontSetup.exe

Detects application with GUI, possible interaction required

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b58935fac5ebb7730000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b58935fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b58935fa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db58935fa000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b58935fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CBase17.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CBase17.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	CBase17.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 44 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	Powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	Powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	Powershell.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CB_CBHFormat (cbh)\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PGNFormat\DefaultIcon\ = "\"C:\\Program Files\\ChessBase\\CBase17\\CBase17.exe\",0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F152A38DC707A4242B6B43E964D7C8FC\FileTypes = "Progfiles"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F152A38DC707A4242B6B43E964D7C8FC\SourceList\Media\1 = ";CB17.cab"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F152A38DC707A4242B6B43E964D7C8FC\Database	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F152A38DC707A4242B6B43E964D7C8FC\PackageCode = "3B49169801FCA634BAB68BE5FEA2E41F"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1E86A77D8D3A9A243AE031C5762EC990	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1E86A77D8D3A9A243AE031C5762EC990\F152A38DC707A4242B6B43E964D7C8FC	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cbh\ = "CB_CBHFormat (cbh)"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PGNFormat	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F152A38DC707A4242B6B43E964D7C8FC\UninstallUserData	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F152A38DC707A4242B6B43E964D7C8FC\SourceList\Media\3 = ";Data3D.cab"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pgn\ = "PGNFormat"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F152A38DC707A4242B6B43E964D7C8FC\Licenses = "Progfiles"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F152A38DC707A4242B6B43E964D7C8FC\InstallWebView2	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F152A38DC707A4242B6B43E964D7C8FC\Version = "285278208"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F152A38DC707A4242B6B43E964D7C8FC\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F152A38DC707A4242B6B43E964D7C8FC\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F152A38DC707A4242B6B43E964D7C8FC\Bitmaps = "Progfiles"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CB_CBHFormat (cbh)\ = "ChessBase Database"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CB_CBHFormat (cbh)\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\PGNFormat	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F152A38DC707A4242B6B43E964D7C8FC\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F152A38DC707A4242B6B43E964D7C8FC\Exe = "Progfiles"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F152A38DC707A4242B6B43E964D7C8FC\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F152A38DC707A4242B6B43E964D7C8FC\SourceList\Media\DiskPrompt = "CB17 - [1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CB_CBHFormat (cbh)\DefaultIcon\ = "\"C:\\Program Files\\ChessBase\\CBase17\\CBase17.exe\",7"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CB_CBHFormat (cbh)\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PGNFormat\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F152A38DC707A4242B6B43E964D7C8FC\InstallAppData = "Progfiles"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F152A38DC707A4242B6B43E964D7C8FC	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F152A38DC707A4242B6B43E964D7C8FC\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CB_CBHFormat (cbh)\shell\open\command\ = "\"C:\\Program Files\\ChessBase\\CBase17\\CBase17.exe\" \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F152A38DC707A4242B6B43E964D7C8FC\Sounds = "Progfiles"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F152A38DC707A4242B6B43E964D7C8FC\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F152A38DC707A4242B6B43E964D7C8FC\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\ChessBase17\\ChessBase 17 ENG\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.cbh	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F152A38DC707A4242B6B43E964D7C8FC\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F152A38DC707A4242B6B43E964D7C8FC\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\ChessBase17\\ChessBase 17 ENG\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CB_CBHFormat (cbh)\DefaultIcon	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\PGNFormat\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PGNFormat\shell\open\command\ = "\"C:\\Program Files\\ChessBase\\CBase17\\CBase17.exe\" \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F152A38DC707A4242B6B43E964D7C8FC\HTML = "Progfiles"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F152A38DC707A4242B6B43E964D7C8FC\Engines = "Progfiles"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F152A38DC707A4242B6B43E964D7C8FC\DefaultCKO = "Progfiles"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F152A38DC707A4242B6B43E964D7C8FC\ProductName = "ChessBase 17 64-bit"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F152A38DC707A4242B6B43E964D7C8FC\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F152A38DC707A4242B6B43E964D7C8FC\DeploymentFlags = "3"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F152A38DC707A4242B6B43E964D7C8FC\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CB_CBHFormat (cbh)\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\PGNFormat\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F152A38DC707A4242B6B43E964D7C8FC\Progfiles	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F152A38DC707A4242B6B43E964D7C8FC\GIFs = "Progfiles"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F152A38DC707A4242B6B43E964D7C8FC\ProductIcon = "C:\\Windows\\Installer\\{D83A251F-707C-424A-B2B6-349E467D8CCF}\\Shortcut.ico"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CB_CBHFormat (cbh)	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PGNFormat\ = "PGN Database"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F152A38DC707A4242B6B43E964D7C8FC\Ribbons = "Progfiles"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F152A38DC707A4242B6B43E964D7C8FC\Data3D = "Progfiles"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F152A38DC707A4242B6B43E964D7C8FC\ReplayTraining = "Database"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	CBase17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CB_CBHFormat (cbh)	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PGNFormat\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F152A38DC707A4242B6B43E964D7C8FC	msiexec.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4892	CBase17.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4984	msedge.exe
4984	msedge.exe
4260	msedge.exe
4260	msedge.exe
2160	identity_helper.exe
2160	identity_helper.exe
3432	msedge.exe
3432	msedge.exe
456	msiexec.exe
456	msiexec.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
4480	Powershell.exe
4480	Powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4000	7zG.exe
Token: 35	4000	7zG.exe
Token: SeSecurityPrivilege	4000	7zG.exe
Token: SeSecurityPrivilege	4000	7zG.exe
Token: SeShutdownPrivilege	2732	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2732	msiexec.exe
Token: SeSecurityPrivilege	456	msiexec.exe
Token: SeCreateTokenPrivilege	2732	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2732	msiexec.exe
Token: SeLockMemoryPrivilege	2732	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2732	msiexec.exe
Token: SeMachineAccountPrivilege	2732	msiexec.exe
Token: SeTcbPrivilege	2732	msiexec.exe
Token: SeSecurityPrivilege	2732	msiexec.exe
Token: SeTakeOwnershipPrivilege	2732	msiexec.exe
Token: SeLoadDriverPrivilege	2732	msiexec.exe
Token: SeSystemProfilePrivilege	2732	msiexec.exe
Token: SeSystemtimePrivilege	2732	msiexec.exe
Token: SeProfSingleProcessPrivilege	2732	msiexec.exe
Token: SeIncBasePriorityPrivilege	2732	msiexec.exe
Token: SeCreatePagefilePrivilege	2732	msiexec.exe
Token: SeCreatePermanentPrivilege	2732	msiexec.exe
Token: SeBackupPrivilege	2732	msiexec.exe
Token: SeRestorePrivilege	2732	msiexec.exe
Token: SeShutdownPrivilege	2732	msiexec.exe
Token: SeDebugPrivilege	2732	msiexec.exe
Token: SeAuditPrivilege	2732	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2732	msiexec.exe
Token: SeChangeNotifyPrivilege	2732	msiexec.exe
Token: SeRemoteShutdownPrivilege	2732	msiexec.exe
Token: SeUndockPrivilege	2732	msiexec.exe
Token: SeSyncAgentPrivilege	2732	msiexec.exe
Token: SeEnableDelegationPrivilege	2732	msiexec.exe
Token: SeManageVolumePrivilege	2732	msiexec.exe
Token: SeImpersonatePrivilege	2732	msiexec.exe
Token: SeCreateGlobalPrivilege	2732	msiexec.exe
Token: SeCreateTokenPrivilege	2732	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2732	msiexec.exe
Token: SeLockMemoryPrivilege	2732	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2732	msiexec.exe
Token: SeMachineAccountPrivilege	2732	msiexec.exe
Token: SeTcbPrivilege	2732	msiexec.exe
Token: SeSecurityPrivilege	2732	msiexec.exe
Token: SeTakeOwnershipPrivilege	2732	msiexec.exe
Token: SeLoadDriverPrivilege	2732	msiexec.exe
Token: SeSystemProfilePrivilege	2732	msiexec.exe
Token: SeSystemtimePrivilege	2732	msiexec.exe
Token: SeProfSingleProcessPrivilege	2732	msiexec.exe
Token: SeIncBasePriorityPrivilege	2732	msiexec.exe
Token: SeCreatePagefilePrivilege	2732	msiexec.exe
Token: SeCreatePermanentPrivilege	2732	msiexec.exe
Token: SeBackupPrivilege	2732	msiexec.exe
Token: SeRestorePrivilege	2732	msiexec.exe
Token: SeShutdownPrivilege	2732	msiexec.exe
Token: SeDebugPrivilege	2732	msiexec.exe
Token: SeAuditPrivilege	2732	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2732	msiexec.exe
Token: SeChangeNotifyPrivilege	2732	msiexec.exe
Token: SeRemoteShutdownPrivilege	2732	msiexec.exe
Token: SeUndockPrivilege	2732	msiexec.exe
Token: SeSyncAgentPrivilege	2732	msiexec.exe
Token: SeEnableDelegationPrivilege	2732	msiexec.exe
Token: SeManageVolumePrivilege	2732	msiexec.exe
Token: SeImpersonatePrivilege	2732	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe

Suspicious use of SendNotifyMessage 54 IoCs

pid	Process
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4260	msedge.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2072	ChessBaseAdminTool.exe
2072	ChessBaseAdminTool.exe
2072	ChessBaseAdminTool.exe
2072	ChessBaseAdminTool.exe
2072	ChessBaseAdminTool.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe
4892	CBase17.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 3732	4260	msedge.exe	85
PID 4260 wrote to memory of 3732	4260	msedge.exe	85
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 3256	4260	msedge.exe	86
PID 4260 wrote to memory of 4984	4260	msedge.exe	87
PID 4260 wrote to memory of 4984	4260	msedge.exe	87
PID 4260 wrote to memory of 2704	4260	msedge.exe	88
PID 4260 wrote to memory of 2704	4260	msedge.exe	88
PID 4260 wrote to memory of 2704	4260	msedge.exe	88
PID 4260 wrote to memory of 2704	4260	msedge.exe	88
PID 4260 wrote to memory of 2704	4260	msedge.exe	88
PID 4260 wrote to memory of 2704	4260	msedge.exe	88
PID 4260 wrote to memory of 2704	4260	msedge.exe	88
PID 4260 wrote to memory of 2704	4260	msedge.exe	88
PID 4260 wrote to memory of 2704	4260	msedge.exe	88
PID 4260 wrote to memory of 2704	4260	msedge.exe	88
PID 4260 wrote to memory of 2704	4260	msedge.exe	88
PID 4260 wrote to memory of 2704	4260	msedge.exe	88
PID 4260 wrote to memory of 2704	4260	msedge.exe	88
PID 4260 wrote to memory of 2704	4260	msedge.exe	88
PID 4260 wrote to memory of 2704	4260	msedge.exe	88
PID 4260 wrote to memory of 2704	4260	msedge.exe	88
PID 4260 wrote to memory of 2704	4260	msedge.exe	88
PID 4260 wrote to memory of 2704	4260	msedge.exe	88
PID 4260 wrote to memory of 2704	4260	msedge.exe	88
PID 4260 wrote to memory of 2704	4260	msedge.exe	88

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1czRk-7piQ98zuzg43Ajqk3W03gwWjP3I/view?usp=sharing
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc538f46f8,0x7ffc538f4708,0x7ffc538f4718
  2⤵
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,12395488926416590070,3268049312333574469,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
  2⤵
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,12395488926416590070,3268049312333574469,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,12395488926416590070,3268049312333574469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12395488926416590070,3268049312333574469,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12395488926416590070,3268049312333574469,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12395488926416590070,3268049312333574469,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,12395488926416590070,3268049312333574469,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8
  2⤵
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,12395488926416590070,3268049312333574469,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12395488926416590070,3268049312333574469,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,12395488926416590070,3268049312333574469,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5808 /prefetch:8
  2⤵
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12395488926416590070,3268049312333574469,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,12395488926416590070,3268049312333574469,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1860 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12395488926416590070,3268049312333574469,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1896 /prefetch:1
  2⤵
  PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12395488926416590070,3268049312333574469,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12395488926416590070,3268049312333574469,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
  2⤵
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12395488926416590070,3268049312333574469,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1
  2⤵
  PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,12395488926416590070,3268049312333574469,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4432

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3108

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ChessBase17\" -spe -an -ai#7zMap7223:84:7zEvent23059
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Users\Admin\Downloads\ChessBase17\ChessBase 17 ENG\Keygen CB\Keygen\Keygen.exe
"C:\Users\Admin\Downloads\ChessBase17\ChessBase 17 ENG\Keygen CB\Keygen\Keygen.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4228
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\CB_KG.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\CB_KG.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2716

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\ChessBase17\ChessBase 17 ENG\Setup x64.msi"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:456
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6FED64A9D5FD4BEA612CAE5C1EBA7861 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3308
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2920
- C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
  Powershell.exe -ExecutionPolicy bypass -File "" -prog "C:\Program Files\ChessBase\CBase17\CBase17.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4480
- C:\Program Files\ChessBase\CBase17\Prerequisites\Fonts\EngineSetup.exe
  "C:\Program Files\ChessBase\CBase17\Prerequisites\Fonts\EngineSetup.exe" /S
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3584
- C:\Program Files\ChessBase\CBase17\Prerequisites\Fonts\ChessBaseFontSetup.exe
  "C:\Program Files\ChessBase\CBase17\Prerequisites\Fonts\ChessBaseFontSetup.exe" /S
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1696
- C:\Program Files\ChessBase\CBase17\ChessBaseAdminTool.exe
  "C:\Program Files\ChessBase\CBase17\ChessBaseAdminTool.exe" /Activation "3356557312" "" "CB17" "" "BP92ALDRWG47GPMPFAN9AMAQX" "" "3"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:2072

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2280

C:\Program Files\ChessBase\CBase17\CBase17.exe
"C:\Program Files\ChessBase\CBase17\CBase17.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e598a46.rbs

Filesize
459KB

MD5
3fb6ac77525cd43c9a0860b5d1d94923

SHA1
2bb693877306573bb5214b63ae110004f3a6ec47

SHA256
2fa8bbe22598670819ae9c92725a69dddf0f5abe796ae8cb40d6efc13da63b8f

SHA512
8c76360454d6a0b1ff4679e118aeec77c0c012879efa839655df6e3699a816c97ae02a0cc98ebef56c32017f41a7719480bf00465e280156c31f4345b6a3562f

Download Submit
C:\Program Files\ChessBase\3D11\Control\nbutton.1.2.dds

Filesize
88KB

MD5
e76b59cb7514d08cac6894b9179a2611

SHA1
a990abc87e245ff9514b8d86766b610fa370dea4

SHA256
48a880cc9ea8824a001c618d8c79114a04dcf0afc9820e3345795923d5667128

SHA512
6440a2909a1d1d048130e4f30ab67e14e3290845b009d01430bd692e35cf0f85c0c85a3068f173f014410353a59f042061f3627e231fd91d1803f8ebe0c93a3b

Download Submit
C:\Program Files\ChessBase\3D11\Material\Wood\Standard\Sounds\CAPHIT1.mp3

Filesize
1KB

MD5
ad8c30d1799e993ae1b1f5df5b344b52

SHA1
e9119fc71c5c03aa7f67a35dad09cfc507cc00a6

SHA256
d02bf344b7388a094ef41c6d361f3acdaa770bded7cf84aa23c2213579156c2f

SHA512
09183d16d891cb5af08e19f10ca2909896031112c053487d31d6f477f6d1968ef6617187b1b38e8f73ece46bc327d0f5a312959c55b01910af85617b4a010cc5

Download Submit
C:\Program Files\ChessBase\3D11\Material\Wood\Standard\Sounds\CAPHIT2.mp3

Filesize
1KB

MD5
41f8f797b583c2ec18785da05810791b

SHA1
f939e2f9ad43ce2497f2e583f8ae71e149da7034

SHA256
87fe771443cf97072fa25228d350a51262f3bc1eda6c8a8608410622d25b108d

SHA512
d404111bbc0486e2ec6f36c0cc6c26d55dbd98fef78beec8b1e9d0dada9cc7f10230325b412ab5e5140e2be452e3ec36b80c0c6f78898f273f9cea5bd1e42627

Download Submit
C:\Program Files\ChessBase\3D11\Material\Wood\Standard\Sounds\CAPHIT3.mp3

Filesize
2KB

MD5
6f30f443064a82088eb9172e8d753bb7

SHA1
81c4668a6144770a092cac64ba00b81517d5e0de

SHA256
9fb9da0c6117ea20c3c7045bc2544e0034557eb761bca864d7c89553e51622fe

SHA512
dc3b2ea77c7f7533235384969549181bc95c78d8124e5924df68b6bffe81dd6af7ade8033bd528c6af318cb5c8292695f786b3743c56ef63d8463b76b0a0ae0b

Download Submit
C:\Program Files\ChessBase\3D11\Material\Wood\Standard\Sounds\Collision.mp3

Filesize
432B

MD5
2b18bb95635668c3cd3459046c06c796

SHA1
362710a619494d2db82b2b463bddb13653dad535

SHA256
c3128ac7494ee9135e2e792e330e64bae13f425ff04c668ba35aaef7dc1ed997

SHA512
e7b0d6f53ea76094e86131b105f97ddf9cee0fb2e08e2c262f9fdc699a3facec9254abafafdc22dcca345b53f59b72dd92bbfc6fd582784c383aa8c1c62e0ef0

Download Submit
C:\Program Files\ChessBase\3D11\Material\Wood\Standard\Sounds\MOVEHIT1.mp3

Filesize
2KB

MD5
a63f9da44171aca59c13def33cc1becf

SHA1
aa34b03cf10904ba7482adaaf7ddc4448a7cdd30

SHA256
6d76dffda519fc0fd7e0739557cf90ca3ad259d58a8e69643e55273be5f87a8a

SHA512
3058c000ce59b72cb26e7bda2134d7b5adcd2ecfe866b8f8b6153e872286e6116f813b65eb99101f1a95dd9c831e67f14552119c743965a31d6193492657a0b9

Download Submit
C:\Program Files\ChessBase\3D11\Material\Wood\Standard\Sounds\MOVEHIT2.mp3

Filesize
2KB

MD5
e804491c6923e1b16ed2f9420eb2d715

SHA1
a0ded2e2ba60b55a39531296feaf740d44cac02a

SHA256
1a4d70cc75a1dbbaa9abddd6035401dd59a94f966ee2c0b943ca0c2f69ecb8d1

SHA512
68d949c1b3b7df98d1038c98b32b48a8770266ef820ab22a2b1461bd810b48ff2aabf8e24a413eff644b218b32ef6ebca4ed4ae8001effab2b7fd55722ea1fb2

Download Submit
C:\Program Files\ChessBase\3D11\Material\Wood\Standard\Sounds\MOVEHIT3.mp3

Filesize
1KB

MD5
f79d43d297c535679f85c4fbcf3247e2

SHA1
8c7e04fb7112be727370c4592661e43029b5cc0b

SHA256
7628c31e162261df4f32913ca7a1e56832de2c985958b98823f91457ba15d43f

SHA512
26c1caa3b1558e026059aa142963cdc92b42e004a37eb7c68e1caac1904598ecd96b91be00dc86c26330855cd90a03406d33a1853729a9444656bbb091ae3152

Download Submit
C:\Program Files\ChessBase\3D11\Material\Wood\Standard\Sounds\Tick.mp3

Filesize
10KB

MD5
cfe90aa63bbff7b355536eff49982d19

SHA1
74926c571137227feee16be30075a07b86da2655

SHA256
749090ab93f92b891a2bcf9fe0e82332ce2e20e3c4e64d3e183416a0df530598

SHA512
6b53e831d0044ec34c883260e46ad180506d08bafdc50264be8bb213f544032722b5e08d6affe753ccd8b0fc5c84942be07b6d1d466736f6154c9063cd0ba14c

Download Submit
C:\Program Files\ChessBase\CBase17\CBase17.exe

Filesize
24.9MB

MD5
109c797f7251d4e3724f50728a143665

SHA1
e043e2af7f28b523d5096ef04214517547371d0c

SHA256
7723bbd52de31e1a050f7e9c2706b4e40be0e693869ea9dc152c0c831bab8b66

SHA512
a9cf8ccf86cc7a4f352c2392088af3335c3a98b637dcfe1c4e35595b6b4a38bf3e361dd7058d5737e0722c08f991b70f5a35e8f0b3be628a74bf96f373c5e8a7

Download Submit
C:\Program Files\ChessBase\CBase17\ChessBaseAdminTool.exe

Filesize
1.3MB

MD5
6c14692574028e2889502526d46e1cb8

SHA1
88d524354c4309308ab9b8a82ed9bed703d3ba8d

SHA256
8bf8afcf0fab8897efd40e24f3c3ed15c1716a68485208dba98c431881991c08

SHA512
99f8feb4ccd1f27f94683e56eb8776a3110eca8a81e218a21aab99314250ceb78ece9feb98dc41a84903092de4c49fee0c3a82bf535f17075bf10020e4586f11

Download Submit
C:\Program Files\ChessBase\CBase17\Prerequisites\Fonts\ChessBaseFontSetup.exe

Filesize
535KB

MD5
f7e5a20dc16aaf3d83d620bd63b0e9dc

SHA1
1d98a18d6368dcb5b2eb775cb10c3101713a84a9

SHA256
25a36cd67b3514836c90579bd9359ee05c2ed18deeecd525a790f7780e6db146

SHA512
4f0ef13c87d2677144e871e82a0a1a3e665e5ed9796a01158c9537cf4c91efdbb28aa7444e638dbcef24d36556809d027e32b7ea4e5533502e762c81361aab4e

Download Submit
C:\Program Files\ChessBase\CBase17\Prerequisites\Fonts\EngineSetup.exe

Filesize
506KB

MD5
592e122e73bd20b37b3e117e61960fcc

SHA1
810ecda93073d1ee6ae8397cdab31867d631c56b

SHA256
7d489aad77a49a84ccecd5ff65ddca4f59b1214de69bd8debc14ac6b727a0b77

SHA512
6f66d3f105d9e496ccde2cc77dbc8c6dac5e41995cf99a88851027c596b072e92e33061a0e968b1a87d949dba8c00c6b7e73f374e7254b4456bf77670967dbfe

Download Submit
C:\Program Files\ChessBase\CBase17\Ribbons\Galleries\Board2DBack\Plain.bmp

Filesize
17KB

MD5
1b2f13fdf11c69394b4f6cff7c2da63e

SHA1
1bc069245f1b66b54cb64023dec562fc68c28d31

SHA256
b4caf1e07951f928ad0682962c80ca34685469f8a47d363e98d66c8a2d245763

SHA512
c0abfd3d19062aefbc19b344afdda1d6015c8c8bf935c232fe938a80812b72b7d52d9bffe4b71e04d015f4ae143aa6d5663899228d57781adf79575d3d14f205

Download Submit
C:\Program Files\ChessBase\CBase17\SView3.dll

Filesize
1.5MB

MD5
3cd7a858803a5aaad5b294b796bf79ab

SHA1
6b97436aa0f6ab61dabf58be544fdcacd543638d

SHA256
6c6aa53559ae5ec617ea8405b4378b0ceacd10cb2b0054c0d8fb72b69919be5f

SHA512
3efd36f1f1e56ecc9863b8ee175b8859fb9ace2a870d76a1a32d583ae32991bcc5376a7030a8e5c56432e9f3e9cd6940f0cb4a7cc689c4c827d36350121397c9

Download Submit
C:\Program Files\ChessBase\Raytracer\Material\HiResWood\Standard\wpawn.cbx

Filesize
62KB

MD5
16d402d674b849f7520bb1df687a62e1

SHA1
fdfd78444bddba8e85b987d066924e9aa99d5d9b

SHA256
0a35ea313ef373c14d7682122de26f2a094fadc11f1fcbdde7a74b0f75039788

SHA512
0369ab5c0a9babcf3d7495f346455ecf4228bda47d090472c1bb80b4ec1d960cbc84167519c37e4b214404d254c79c16acab4b85f7ada065e6edf2db0243e7c3

Download Submit
C:\ProgramData\ChessBase\InstallAppData\CBase17\CBase.ini

Filesize
238B

MD5
b447b0aad9cb373bbc708f4128f9df0c

SHA1
667da28696dffedb3618978823e5321503955663

SHA256
9f0f6c20a72f3b6064aa9b13442984fc4cd888b23757f4d8ff30d1e87922d8b4

SHA512
5650b62e15ed1e18a64cf43037e0837f2b55325de058a2fe149544e5a6710ce60052a9e9b1cc928bfbfda19d9c46b4bd8bcb789fd19345c12ddae8eeb4e88f97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB

Filesize
834B

MD5
543ff9c4bb3fd6f4d35c0a80ba5533fc

SHA1
e318b6209faeffe8cde2dba71f226d2b161729af

SHA256
40c04d540c3d7d80564f34af3a512036bdd8e17b4ca74ba3b7e45d6d93466bcd

SHA512
6257994ac1ec8b99edcf0d666838a9874031a500adac9383d9b4242edc6c6ffec48f230740d443c1088aa911a36de26e7ce3b97313e3d36b00aede5352a8cf5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_772251DD19977E1B262DA5D1DDCFA1E8

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ECF3006D44DA211141391220EE5049F4

Filesize
92KB

MD5
d7bf281bb163e56b07260e5b9275483f

SHA1
ac46d09c4237b2b6c5359f7f38924f02ed7cbd45

SHA256
3ef77254309c3e9cee6c667ae6cb7c990130b4da2fb9e96c5248feabe8bb9d5f

SHA512
2ad6a499edb82c695f0efc41138986b945ae386666857173287ae59396b178e3fe1b31db8eaf8231baefa3710ecde533fc2b7c4553eacccb35c9b960ebc173be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB

Filesize
180B

MD5
04b6ea7b476ea9321c4abda663161f38

SHA1
788ff059b150748246b09b61235cf1f9b0f69760

SHA256
49423bf10cf095625c676436813300b442570d163b2a6599d296b3bcd713b799

SHA512
51eed962d7c4bf0df32b78d0bf6a13d2952f55ff84ebd4a9046565a244bd93bae374b1e60ab54923aba06e037534f9109cf787840022d7bc817e7ce41119afa9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Filesize
398B

MD5
3c31bf4a2e8e8e6389fe24a82ab22095

SHA1
c6105014808e7bc9e08ecd88cbbf911610630ca8

SHA256
9a593ea743c42219054b9b7aa7ea4b931bcdd9553f23fae9eb0e3094012abd8b

SHA512
fef2e3125c42da5df2b9c2a71d32367c168937d9cd563d6bdc4b85b5258805a656580f38fcebd342074d4032189efe13565729b4591bd21c7d3f82fb6a7eee45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_772251DD19977E1B262DA5D1DDCFA1E8

Filesize
398B

MD5
54b023e06f0cbf3cba63cae81d3c0753

SHA1
70fe722bf056e43901a32eade13be128c4e13f12

SHA256
66fa59ab8fdb09c12c2be43e6a87bc33bbe4601fba481845e97514882d0cb311

SHA512
37e762ca623d49990a87324b5c4165042241013700628b47efe9ed647bcea145144074aa20b7b2b467e07ac1ee514711500b1bc4b1671d0859fb1f730d49694d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ECF3006D44DA211141391220EE5049F4

Filesize
170B

MD5
79d7f6a4352d752899778d7a4c3667f2

SHA1
73ebabe35e4df7be9e021197ae7a6e139038b35a

SHA256
603bf96f1d6a27b10f83a4ad10e66a838a1f10168d109fa479e94cd91a8d142a

SHA512
c2ea7fa1b87dd24f9ec4f991036a97db4f0e0633b2b1d23e627bc29583309b7c36391fa8a504cf58eaf144b0112e97cb26abee65831242f7f7abcf8a3f4c4155

Download Submit
C:\Users\Admin\AppData\Local\ChessBase\ChssBase.ini

Filesize
204B

MD5
790ffce3b05b0ab1896df5bafa76c390

SHA1
82e40356b77ba7866538dc33e6597e3026631f40

SHA256
2c5ad724cf01c2715fb4eab03dbceeeb076b81676a4061a06eb51c31bba5c19e

SHA512
d14f79ff4b8cd520e761329c42b77175891ed4442aea6752ef7ef80a9524c0bb700361cd5cdebeba5ed2523263732094c9550254504b808b4e7b6422a920fcca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
37a399ccc3d1e677f3e14c608c531a90

SHA1
98673973fc1be3c4cb22a238a5f6375f255e5409

SHA256
efbe18966adff9634fe5e4fef711a8ad42449f61c927cf13c76ffe5c5fb7cc10

SHA512
8c181d904bc7abcb85a6c94940d2c46f4c95d1b0f955a5f45abe5e3c2b6959bbc7214d4b68e72c856fbfac3accfd5b61984293dd78e2311b32ab573f308e5e44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
6a32f84736034c6ef2aa7d437c9545d6

SHA1
ce37f0c432c11569b3e25d7e45f877b53a777b5b

SHA256
75b52e3354597ce99734ad3993c162d46fcc8646b7deb6a3ce429f98ef798c44

SHA512
c46a9f2b423f6a73598fccf577e85e76a0b7598715759db134a708e3655eb3e4dde8a3e827247c047ab55d05e19a7a7af5da1dcdd9123dab7c3823e4dddfbb9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
db4d92d877616dbdf0f4cdeac79d5244

SHA1
2245db2ea45a8e34a65ba0d814e5e4b07d106b89

SHA256
a88e600a0070235a9778badabba52c32e5538101d478ce8040615668feb1fa57

SHA512
b64522cea5dfca095fc8610860140fe4c88274e4a60e43201cc620c967ddd1ba6a0c2393e01fd676d5673da4cb1d08ae64a0321580355bf3fb98350f74ca4a0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
cbff2660af8317e4ac636ed6337587f0

SHA1
0ce07c3dbd287fb6f5cdf1922f7247addaea9e12

SHA256
08d17fdd4755e7c48b68df1445d2d2705c9ba414564123d607c9bca4e5f7b97c

SHA512
39cea4a82b15c49117bfd2da06f8ee4b2e76fd12a9e670cf6d6c80d84cc7a874866cab3bb43be2810dfc8500e27b0f071f0d9cfe8e37c56e557d098fa52660fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7b81388dea973de3fe6d6349c42c6540

SHA1
3f424546f2aaa56b6fec41b6fadd6c88c17f6dd3

SHA256
2e808bee4cd4afaa0b6804f4a52760609c5ac67838c3915a3021615e83d07e32

SHA512
2948c8398d15cbf8152c504e0255c0b877417e99aafcb45bfa09d40e0079dc7559e453b4ad356ff64118657f6904687105086c967e7e3634a9bd1057f71303c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e5a31380d43523b2d4d56094007373e5

SHA1
42c3d90970744124b7a11b3ab9bb807a788387ad

SHA256
d9dfea2d37e54d374e810298f9194348df3d6e1ce48916c011230d864243a34d

SHA512
496392f37656b3b0add7431acd3d03d297587fda3e3a24344f3f0ec7772dce2f74dfcfcda9953235cd7fbd4ac5e1a7b4b7562aa10a9bf55b0d91fc68fa07628f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bd321b0a7efbe22a94836ceef1da1b11

SHA1
07808bcfb58432badbfef0fc54eb2c9e35576443

SHA256
e24624ce7f1ada0ed45c6529b0872db0265049eaca2a04d95183a1f38d7bff62

SHA512
c2e94e763ff00048341ac63aa6a1e2fc4a993624100373a97d655dca84624ad66c861e2405ba6e209565e9c7e8cbee4dafcc6c31e716767ee38d336772163268

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
788180b54a8f594b54eceec67d19aecb

SHA1
913595ec2cc784f925f247a5bf9c6acabe101358

SHA256
44d9a5429bdb4d56fe700fd1bed517340bfbcd2b719c3e038710675beeb4c4d2

SHA512
a4069f33d69be4f88cd42af68804c1cb2a74d342d77bdbf2bbbf8a3959bdfd060547bfa16895a299914a50b3840a9753794cd94cbc8e36ada93a360817c4498a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
33ff8f41cbc449f14553db9ec8dbabd7

SHA1
cead8052664d4b5ac1a9ed7af961f0f89133038a

SHA256
16b5b83d72105e3e9f4145b0423dfc4a00a4ff61a34a7f3f008f7f678c8dd877

SHA512
3109c05195f6088cdfbbe848f029fc4a9d672d7964f545b20edb92b48389185d855914de12a59dfdc1d6c59ff0bba1880d3917883fe84a78e0e1db29749b56c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3b13a4c4201274cb7ec8c40421884ee9

SHA1
b23329b9e4ccd7cf2665c7844d913d146ff6ca6d

SHA256
5d0677c0e74cb26ea174f10c6577270028c50c0c4c7604616881eaf57e3e9fab

SHA512
a6674c2b06bc1d648d8665d1c30e8879c76bd64cd4b0036d2ca4a682940a53767ca794057644f0827d4a8ea549fff5c72fcb6baec7b6a9df943fa7ba6299f81b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4D4D.tmp

Filesize
113KB

MD5
4fdd16752561cf585fed1506914d73e0

SHA1
f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

SHA256
aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

SHA512
3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID04B.tmp

Filesize
96KB

MD5
c669a75b2dffbb1dce56ab53818b8653

SHA1
bbb413e8c081088eae97f101b612e1c39fb64314

SHA256
2666d2f77dc8aecd2feda3d9d519e8fb80a3fe9d425eb4b4f1cdd3735eac7747

SHA512
b74b75bd281eedc757613db536d2a383cff77a05d5b7f6b46c0351d33c2b0524842520d625a66312aef59ed822d3b4c2a5e15809b6d2f19592e040e043c005e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CB_KG.exe

Filesize
3.0MB

MD5
9e07a919c6cd1fe569318d726a1b467e

SHA1
b472e43d6292f683b69010b54ce7f6795af5aba7

SHA256
3fc56148604df4639299cac494f9b29316d55f87ab03cb43c25a9b2e184f9857

SHA512
4d1c16cfe7bc288ea3fe6dd3c77923fecc3a4e1bd67b4d48594dc1fb997bf0773d573514a9c7ac3fe4ba821c6be80cfe294f8cc769ca0ca92fd6e2b37234124d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1ddqd24i.txe.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskC200.tmp\Registry.dll

Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskC200.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\Documents\ChessBase\NoGames\Activations.txt

Filesize
685B

MD5
43b3815aca0c93011734107ee445c140

SHA1
3f54277358256fa0195dfb30ba7d1381d45873f2

SHA256
c59d2437ad7bb9361dd3d55bc53a6ab6d7cc6ef222cf859d845ce4322eeffa15

SHA512
719857dc0d224b2eca7b703c295715ed482397c4cf4f21fbe40f8679b695aac6bf99f36679a3c8f75b2742c5a305c81f6c4ddc91587e71295c539be81a29799a

Download Submit
C:\Users\Admin\Downloads\ChessBase17\ChessBase 17 ENG\Keygen CB\Keygen\Keygen.exe

Filesize
3.6MB

MD5
03eba8a1a1adb5337d8b43ccb6b554af

SHA1
114a86deb1f51d36fa1398a16dc974dd98938a8f

SHA256
916f8dff7063ed6b1108e19e0f400f0969e7ae80f69f67c266e56f7055b92f2b

SHA512
38e0f27a719e9e7593591d85694fb28628cac7400b4c526907094067b73ad1902cb3b129b6062cb168409d2248ffe054f33c8415a26add2dd2f33b32ca73cf21

Download Submit
C:\Windows\System32\mfc140u.dll

Filesize
5.4MB

MD5
0f3bccc38502c5543c02266e6e62b738

SHA1
4c5eb318eeea2c208e6931178d3cc5b1d59c4e2b

SHA256
bc9eb4f2c8a8e9f1ab4cf67b935bbe13e5fe456faa8b9e1d486ef81c27c4d810

SHA512
de9758b1eae1c2f1375b415b44dc2b8c3b65fafae9aaab53db85341f7c00f9499d9dda9a80a89a3d4fc7f4f7bffd335564863d5a2ea7719d59e13f7d1ee4f87a

Download Submit
C:\Windows\System32\msvcp140.dll

Filesize
566KB

MD5
0929e46b1020b372956f204f85e48ed6

SHA1
9dc01cf3892406727c8dc7d12ad8855871c9ef09

SHA256
cb3c74d6fcc091f4eb7c67ee5eb5f76c1c973dea8b1c6b851fcca62c2a9d8aa8

SHA512
dd28fca139d316e2cc4d13a6adffb7af6f1a9dc1fc7297976a4d5103fae44de555a951b99f7601590b331f6dbb9bfc592d31980135e3858e265064117012c8d5

Download Submit
C:\Windows\System32\vcruntime140_1.dll

Filesize
48KB

MD5
bba9680bc310d8d25e97b12463196c92

SHA1
9a480c0cf9d377a4caedd4ea60e90fa79001f03a

SHA256
e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab

SHA512
1575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
b1a470a417eea96e7f704addc706aff4

SHA1
5eb49837756156e5008953162f7aee008954e91b

SHA256
5e025725de8537f6fd73613099c392ab94b0f832276eb68084d9ccc8bbbb3476

SHA512
e7ca2298e735d0a69ce9d814a505f6b6279a934ded8ce486c4bb60217c16d1cc129da089b9f0582edb988c34aad9053ac615ad4784ef35d6af17c2c3aa998a21

Download Submit
\??\Volume{fa3589b5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{644055f1-4767-4300-ad64-2cf6b20c412a}_OnDiskSnapshotProp

Filesize
6KB

MD5
2be80c0ac330b68cef40cc38d82d14a2

SHA1
d47bf1540b764f51317001ad6fdf2fa688a5e6bd

SHA256
b0eddcb21b59683a4cccd336a620a268988a9941aa88c4a5eb2a208b4310078c

SHA512
dd9bb44713bb651fcfdc5c26636fc17b84ca08a1f8c9a23a5d8c72bf13b6787fe29716238e7b59c914b14570748928f92f20f6d07ce6487a926c3b4f4cecca6e

Download Submit
memory/456-3279-0x000002D3AAD40000-0x000002D3AB801000-memory.dmp

Filesize
10.8MB

Download
memory/4480-3946-0x0000026EAD860000-0x0000026EAD882000-memory.dmp

Filesize
136KB

Download
memory/4892-4118-0x00007FF637AD0000-0x00007FF638AD0000-memory.dmp

Filesize
16.0MB

Download
memory/4892-4121-0x00007FF637AD0000-0x00007FF638AD0000-memory.dmp

Filesize
16.0MB

Download
memory/4892-4122-0x000001B92B4B0000-0x000001B92B4B1000-memory.dmp

Filesize
4KB

Download
memory/4892-4120-0x00007FFC41C00000-0x00007FFC41DA8000-memory.dmp

Filesize
1.7MB

Download
memory/4892-4119-0x0000000180000000-0x0000000180C0E000-memory.dmp

Filesize
12.1MB

Download
memory/4892-4116-0x0000000180000000-0x0000000180C0E000-memory.dmp

Filesize
12.1MB

Download
memory/4892-4162-0x000001B931170000-0x000001B931320000-memory.dmp

Filesize
1.7MB

Download
memory/4892-4163-0x000001B931330000-0x000001B9314BF000-memory.dmp

Filesize
1.6MB

Download
memory/4892-4117-0x00007FFC41C00000-0x00007FFC41DA8000-memory.dmp

Filesize
1.7MB

Download