Analysis Overview
SHA256
b0469b884ce50fd51a6ca3b1a599b985c92dd777bebf2b796b1bdcfd8928f5e0
Threat Level: Shows suspicious behavior
The file GTAIII (CD1).iso was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks installed software on the system
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Modifies registry class
Uses Volume Shadow Copy service COM API
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:14
Reported
2024-11-10 01:18
Platform
win11-20241007-en
Max time kernel
91s
Max time network
94s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DXSetup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DXSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DXSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DXSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DXSetup.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\DirectX RunTime\DX81Win2000.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Directx.log | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DXSetup.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DirectX RunTime\DX81Win2000.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DXSetup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1136 wrote to memory of 2364 | N/A | C:\Users\Admin\AppData\Local\Temp\DirectX RunTime\DX81Win2000.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DXSetup.exe |
| PID 1136 wrote to memory of 2364 | N/A | C:\Users\Admin\AppData\Local\Temp\DirectX RunTime\DX81Win2000.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DXSetup.exe |
| PID 1136 wrote to memory of 2364 | N/A | C:\Users\Admin\AppData\Local\Temp\DirectX RunTime\DX81Win2000.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DXSetup.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\DirectX RunTime\DX81Win2000.exe
"C:\Users\Admin\AppData\Local\Temp\DirectX RunTime\DX81Win2000.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DXSetup.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DXSetup.exe /packageinstall
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxsetup.exe
| MD5 | c247f3544b1a7cfb76c6bc4093f9a275 |
| SHA1 | f361df15912830813ed57c5517b2166fc40fba22 |
| SHA256 | 89e7e2504984c260ae53d06d75879808c558e1b9c007d1825bcf1eb1d29bcdaa |
| SHA512 | 0b7d4428d28209514ce1ceecc212476a3184f831e28808b5295c17f23c3861de75ba7f725af6705d1e546b16e260a6ac8d3d989b9f38e98a0960c00f3056b1f0 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DSETUP.DLL
| MD5 | 4f5f399a970a921f883975a2228a1c8c |
| SHA1 | f2c39bde79a6d91f8e35dd4eee5ebed4573c5615 |
| SHA256 | 0fdfff9a5db0bd4b16a9663a6616308c511a21e3bec0bbed60ddfa2597c73acf |
| SHA512 | 7a03587c77eaad433fb49694b9cabbc0bda8e8554a97ee3ec63ca09dd7df37cae0031c1b9b52ab4d76d45fd847adf5a7680bb0dc803166ce4fb4cfc12aa017ef |
memory/2364-576-0x0000000000480000-0x000000000048C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DSETUP32.DLL
| MD5 | 833081979e1590bd9e7910b1ca44ddd0 |
| SHA1 | 79e741aaa0f6f1707cc6071b69fbd79d0375f181 |
| SHA256 | 72b472f42fa4c0847a458a426753858ffdbbc35c0a00cf29c27bbf70af055d3c |
| SHA512 | f7eb86386278d68580b4e46763972e55db07a64a6accfd4e7b76ad0e59f60180c354395ae3ab94a1a2f4ec36444587593c68ba430f27664fac0cb0904bfcac98 |
memory/2364-581-0x0000000000B20000-0x0000000000B57000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:14
Reported
2024-11-10 01:18
Platform
win11-20241007-en
Max time kernel
85s
Max time network
96s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DirectX RunTime\DX81win98_ME.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\DirectX RunTime\DX81win98_ME.exe
"C:\Users\Admin\AppData\Local\Temp\DirectX RunTime\DX81win98_ME.exe"
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-10 01:14
Reported
2024-11-10 01:18
Platform
win11-20241007-en
Max time kernel
136s
Max time network
151s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| N/A | N/A | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
Loads dropped DLL
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\corecomp.ini | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\InstallShield Installation Information\{92B94569-6683-4617-8C54-EB27A1B51B30}\layo7dd6.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\animviewer.dat | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\carcols.dat | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\data\map84fa.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\comse\coms8596.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\models\gene86cf.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\models\menu8e8f.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\movies\GTAtitles.mpg | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\mss\Mssrsx.m3d | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\fistfite.dat | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\particle.cfg | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\comse\comse.ide | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\industne\industNE.col | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\landne\landne.col | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\landsw\landsw.ipl | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\subroads\subroads.ipl | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\txd\LOADSC12.TXD | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\txd\LOADSC8.TXD | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\Mss32.dll | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\default.dat | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\default.ide | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\props.IPL | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\suburbsw.ipl | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\comsw\coms85a6.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\data\paths\CHAS8681.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\ReadMe\ReadMe_FRENCH.txt | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\comse\comSE.col | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\subroads\subroads.col | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\paths\CHASE18.DAT | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\txd\LOAD943c.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\indu8548.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\models\hud8e8f.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\models\Coll\commer.col | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\mss\Mssd920a.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\ReadMe\Readme_ITALIAN.txt | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\InstallShield Installation Information\{92B94569-6683-4617-8C54-EB27A1B51B30}\Setu7e05.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\gta37e24.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\suburbne.ipl | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\models\fonts.txd | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\mss\Mssr9219.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\models\gta3.dir | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\models\Generic\qsphere.DFF | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\models\Generic\whee8f5a.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\pedgrp.dat | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\train.dat | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\models\part8edd.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\TEXT\engl92f4.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\InstallShield\IScript\iscrf954.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\main.scm | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\data\time850a.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\industse\industSE.ipl | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\industsw\indu85d5.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\landne\land8604.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\landne\landne.ipl | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\paths\CHASE10.DAT | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\models\font86a0.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\models\gta386de.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\mss\Mp3dec.asi | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\mss\msseax3.m3d | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\txd\NEWS.TXD | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objef915.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\InstallShield Installation Information | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\anim\ped80b4.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000485242783223abf50000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000485242780000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090048524278000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d48524278000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000004852427800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3EDC2C10-66FE-11D3-A90F-00105A088FAC}\TypeLib\Version = "1.0" | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\Version = "1.0" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF57A6F1-4101-11D3-88F6-00C04F72F303}\TypeLib | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2062-CB55-11D2-8094-00104B1F9838} | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54DADAB2-28A6-11D3-88BA-00C04F72F303}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.ScriptDriverWrapper.1\ = "InstallShield setup object wrapper" | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303} | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.User.1\CLSID | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{94F4A332-A2AE-11D3-8378-00C04F59FBE9} | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94F4A332-A2AE-11D3-8378-00C04F59FBE9}\ProxyStubClsid32 | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2068-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CC096170-E2CB-11D2-80C8-00104B1F6CEA}\TypeLib | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}\ = "ISetupFeatureLog" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91814EBF-B5F0-11D2-80B9-00104B1F6CEA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1F9922A2-F026-11D2-8822-00C04F72F303}\ProxyStubClsid32 | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80FDE82A-2CAA-11D3-88C3-00C04F72F303}\ = "ISetupObjectReboot" | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D4FF39B9-1A05-11D3-8896-00C04F72F303}\ = "ISetupType" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9CFCFE67-0BB8-43E0-8425-378D0A02ACE4}\TypeLib\Version = "1.0" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8415DE38-1C1D-11D3-889D-00C04F72F303}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E7D06080-238B-11D3-80D7-00104B1F6CEA}\ProgID | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D4FF39B9-1A05-11D3-8896-00C04F72F303}\TypeLib | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54DADAB2-28A6-11D3-88BA-00C04F72F303} | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{787D0980-F63F-462C-86BC-FC23847C70F4}\TypeLib\Version = "1.0" | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{91814EC3-B5F0-11D2-80B9-00104B1F6CEA} | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2062-CB55-11D2-8094-00104B1F9838}\TypeLib\Version = "1.0" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{348440B0-C79A-11D3-B28B-00C04F59FBE9}\ProxyStubClsid32 | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54DADAB3-28A6-11D3-88BA-00C04F72F303}\ProxyStubClsid32 | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.ScriptObjectWrapper\ = "InstallShield setup object wrapper" | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83755DD1-086B-11D3-8868-00C04F72F303} | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}\InProcServer32\ = "C:\\Program Files (x86)\\Common Files\\InstallShield\\engine\\6\\Intel 32\\objectps.dll" | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.LogServices.1\CLSID\ = "{22D84EC7-E201-4432-B3ED-A9DCA3604594}" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2062-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32 | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8415DDF9-1C1D-11D3-889D-00C04F72F303}\TypeLib | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4DFB7010-41EB-11D3-BBBA-00105A1F0D68}\TypeLib\Version = "1.0" | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CC096170-E2CB-11D2-80C8-00104B1F6CEA}\ProxyStubClsid32 | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{94F4A332-A2AE-11D3-8378-00C04F59FBE9}\ = "ISetupMainWindow2" | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{44D61997-B7D4-11D2-80BA-00104B1F6CEA}\ = "ISetupCABFiles" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91814EC1-B5F0-11D2-80B9-00104B1F6CEA}\ProxyStubClsid32 | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}\1.0\0 | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AFED5DD0-0694-11D4-A934-00105A088FAC} | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DED1EA29-3F89-11D3-BBB9-00105A1F0D68} | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2065-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF57A6F1-4101-11D3-88F6-00C04F72F303}\TypeLib\Version = "1.0" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54DADAB3-28A6-11D3-88BA-00C04F72F303}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27D2CF3C-D5B0-11D2-8094-00104B1F9838}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Common Files\\InstallShield\\engine\\6\\Intel 32\\" | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.Kernel.1 | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838}\ = "ISetupFeature" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CC096170-E2CB-11D2-80C8-00104B1F6CEA}\ProxyStubClsid32 | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\Version = "1.0" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1B9357F-24B9-11D3-88B2-00C04F72F303}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{94F4A332-A2AE-11D3-8378-00C04F59FBE9}\TypeLib\Version = "1.0" | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91814EBF-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DED5FEEC-225A-11D3-88AA-00C04F72F303} | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1F9922A2-F026-11D2-8822-00C04F72F303}\TypeLib\Version = "1.0" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{251753FA-FB3B-11D2-8842-00C04F72F303}\TypeLib | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.ScriptDriverWrapper\ = "InstallShield setup object wrapper" | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA7E2086-CB55-11D2-8094-00104B1F9838}\ = "InstallShield setup object wrapper" | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E7D06080-238B-11D3-80D7-00104B1F6CEA}\VersionIndependentProgID\ = "Setup.ScriptEngine" | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{15F051E6-59A9-11D3-A25D-06D730000000}\TypeLib | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2583251F-0A04-11D3-886B-00C04F72F303}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{91814EC1-B5F0-11D2-80B9-00104B1F6CEA} | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D795704-435D-11D3-88FF-00C04F72F303}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
"C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe" -RegServer
C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe
C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe -Embedding
C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe
"C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe" /REGSERVER
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
Network
Files
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
| MD5 | bf25eb6a1e0aa2fff0cb190270b95418 |
| SHA1 | 79cad1291ac8b042af8454328ef7c71ce04a7c9d |
| SHA256 | 4535320c5b9596a6210109f68c647dbdbd0289ba63286fd389dea910855491f1 |
| SHA512 | 66a4ee419548e63c0a007be91ad58d5e1a6cf37e5df70a5da7ddcc0a1f4831bb42ba67c6cc8ce3d54b99fa77a9249ace9b5cc4836e957103b9901484bb04337b |
C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\corecomp.ini
| MD5 | 62d5f9827d867eb3e4ab9e6b338348a1 |
| SHA1 | 828e72f9c845b1c0865badaef40d63fb36447293 |
| SHA256 | 5214789c08ee573e904990dcd29e9e03aaf5cf12e86fae368005fd8f4e371bd5 |
| SHA512 | b38bb74dc2e528c2a58a7d14a07bd1ecaaf55168b53afc8f4718f3bf5d6f8c8b922b98551a355ebb1009f23cff02fd8596413468993a43756c4de7dfed573732 |
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
| MD5 | 003a6c011aac993bcde8c860988ce49b |
| SHA1 | 6d39d650dfa5ded45c4e0cb17b986893061104a7 |
| SHA256 | 590be865ddf8c8d0431d8f92aa3948cc3c1685fd0649d607776b81cd1e267d0a |
| SHA512 | 032aba4403eb45646aa1413fdc6c5d08baab4d0306d20b4209e70c84e47f6b72e68457bbc4331a5f1a5fa44aa776a89eb9fd29d0d956fa2fe11364c26ab09ee7 |
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
| MD5 | 8f02b204853939f8aefe6b07b283be9a |
| SHA1 | c161b9374e67d5fa3066ea03fc861cc0023eb3cc |
| SHA256 | 32c6ad91dc66bc12e1273b1e13eb7a15d6e8f63b93447909ca2163dd21b22998 |
| SHA512 | 8df23b7d80a4dd32c484ca3bd1922e11938d7ecda9fc5fd5045eed882054efca7b7131ea109c4f20d8279845ffeb50ef46fb7419d190b8cf307eb00168746e59 |
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
| MD5 | 377765fd4de3912c0f814ee9f182feda |
| SHA1 | a0ab6a28f4ba057d5eae5c223420eb599cd4d3b1 |
| SHA256 | 8efcbd8752d8bbfd7ee559502d1aa28134c9bf391bf7fc5ce6fdfd4473599afb |
| SHA512 | 31befb11715f78043b7684287b4086ce003cb66f97c6eff8c2b438eae29045d8856172c6b898be9f08c139edc4647c2bce000da497aed208b7a5a69d4d90c710 |
C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll
| MD5 | b2f7e6dc7e4aae3147fbfc74a2ddb365 |
| SHA1 | 716301112706e93f85977d79f0e8f18f17fb32a7 |
| SHA256 | 4f77a9018b6b0d41151366e9acab3397416d114fc895703deb82b20f40116ad1 |
| SHA512 | e6ae396bd9b4f069b5fafe135c0f83718cc236d1cf9007db7305bd5442c86483c0f1e0fad9cd6d547e8715278e23e6fafa973c63ebbe998a31a2153dbbbe7f83 |
memory/2948-105-0x00000000032F0000-0x0000000003328000-memory.dmp
memory/2948-99-0x00000000032D0000-0x00000000032E3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{92B94569-6683-4617-8C54-EB27A1B51B30}\isrt.dll
| MD5 | 61c056d2df7ab769d6fd801869b828a9 |
| SHA1 | 4213d0395692fa4181483ffb04eef4bda22cceee |
| SHA256 | 148d8f53bba9a8d5558b192fb4919a5b0d9cb7fd9f8e481660f8667de4e89b66 |
| SHA512 | a2da2558c44e80973badc2e5f283cec254a12dfbcc66c352c8f394e03b1e50f98551303eab6f7995ac4afd5a503bd29b690d778b0526233efc781695ed9e9172 |
memory/2948-119-0x00000000033F0000-0x000000000341C000-memory.dmp
memory/2948-113-0x0000000003330000-0x0000000003383000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{92B94569-6683-4617-8C54-EB27A1B51B30}\_IsRes.dll
| MD5 | 48ea604d4fa7d9af5b121c04db6a2fec |
| SHA1 | dc3c04977106bc1fbf1776a6b27899d7b81fb937 |
| SHA256 | cbe8127704f36adcc6adbab60df55d1ff8fb7e600f1337fb9c4a59644ba7aa2b |
| SHA512 | 9206a1235ce6bd8ceda0ff80fc01842e9cbbeb16267b4a875a0f1e6ea202fd4cbd1a52f8a51bed35a2b38252eb2b2cd2426dc7d24b1ea715203cc0935d612707 |
C:\Users\Admin\AppData\Local\Temp\{92B94569-6683-4617-8C54-EB27A1B51B30}\setup.inx
| MD5 | f3c79c972c0efb3d3b24ac01b013af04 |
| SHA1 | 856c12f6c90ed9be470c568df06bd086885ac464 |
| SHA256 | d3308c03573f3d0f9f857c2e7bbb5bca38a1012341005138870c9fdc30d82adf |
| SHA512 | 3c560749df1405c0374484f1a8473c6713dd12d9b5610648fede9e21d48892b4b4f9d33f70cd74edfa8ddaf17223f795b9a78002265561fd42cd76884b094b2a |
C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\comnbtm\comNbtm.ipl
| MD5 | 5c313e6b51d76195c0f717bfa48a3a64 |
| SHA1 | 0205ead687dd54ff6bca4facfb017867c6bcba25 |
| SHA256 | 5b40564f0e41e816dbfb78dfc6ab3d63206f2e0dd6bca48bc16ad80d24b0fc0a |
| SHA512 | cfa5d5e7534575bd603f80251a58354398cb23d356ec1bac4f2733f5046f8c7c0612354bfee3af75e7183c0b64ed4da8fa12ec1faf0910e0a300389b5285e323 |
C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\comntop\comNtop.ipl
| MD5 | 49cffb707d6086725fea02aa0becca61 |
| SHA1 | fc69da4751506a8e956273457f31efb5b77f112d |
| SHA256 | dc4f41787d84508068f91c60edf0585b2d3333401c84d4b2bf2aea9c1e03d2c7 |
| SHA512 | f99770f0d60eabcf86e2218552d14eb72cb50a55c0ded25486c1af8db733aee7e6eba130aea15abe4147432f0a982db078293a2bfab9eb66769019cb3d493d9d |
C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\comse\comSE.ipl
| MD5 | f8bf802c0d8ef94fd0debea7d2c5b062 |
| SHA1 | fe0583bfbbc6942e736d3404ca756ef9ad99e1cd |
| SHA256 | 89184f15ef8fcb78afdc8eb0cb2fe211f75373c8bf13ae8b6953b483a43d5e61 |
| SHA512 | 129a923636472c0346df91bd25506f896ef99b7b827d9b19a649bdb261b00e8dac5acb1125494a0d3fc868d5adf3157186b200884d57a68aa2ce85c775313b47 |
C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\comsw\comSW.ipl
| MD5 | 58436be13920cd4827699de686e05b0e |
| SHA1 | 8e98e21316f238812a77950adb9bd949c024282b |
| SHA256 | ecdb2c8b3160711546da881f3ee87990426f67c3acb3548c2fa51b48b3b441bb |
| SHA512 | 3bcaacf155d379a1f38e8b1eef0df14984e52387064d3118a065e780031e3f6c63857a6556db9d974193e583a9067aff81f53a072c4e37be4111078c39bc1e25 |
C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\industse\industSE.ipl
| MD5 | 87a427e81c81c223e20a82906aff91cf |
| SHA1 | 1ae310730144f9b47ab65c2dffc0a0be53206e11 |
| SHA256 | 7c012c51317d7e1305fe8bb24c62075af816ef3f6c9a9beb58d46f6e855c2ba8 |
| SHA512 | 48942ea58f232882be6ede1765be55b4530a58a8734b379de9856a2876d3d5a1fafbe8673a1a231db11689f071978a913025f888aa0e6e71d47be849e7608b58 |
C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\industsw\industSW.ipl
| MD5 | 756d445299812e430fa77faf8695a436 |
| SHA1 | 20eeac1bc4df940363100a1f68fd57e997cf9146 |
| SHA256 | cac6c6117a6bb73654d42643b9e81ae89278ce82dca52acd626565229e8bbbd1 |
| SHA512 | 2bb45dd91b444768db4a3814f5f46dd9be8aecfc6c419af225b288d5266db2da0cc9dde3e577586d3c03a5dfe7ab73f695de0aa4ae514de69d390d512a4d4423 |
C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\landne\landne.ipl
| MD5 | 90e76aa9ea1d6de6c74e9cfa2276bc0a |
| SHA1 | 9a5c05ceb612f031429e561829d44c3167f96ded |
| SHA256 | 8e5479895047d275869f47235ba217237a09dab7cdc5c4de949ec25238472767 |
| SHA512 | bcaa779df8a38798eb639472f47ce32986762ffe7d5f294a5ba66612970b629ce5463d2446785a5f1a4cbb6d99d3d5e6a97ccb02e8270a70ca80a1affeccff8b |
C:\Program Files (x86)\Rockstar Games\GTAIII\models\Generic\player.bmp
| MD5 | a5b4affb8b9ebff7f920cc072d91d3b1 |
| SHA1 | 3b34ec9bcfa615e82b4298e55189cd063676bb52 |
| SHA256 | 94d230e38345c5a4e7ac654f3f934c4863f8ac0a9835922e9abc4626146b712a |
| SHA512 | 4ec06ad30f8eabc9e261220248d9150a8edb514f2473539d46991b068e7338852d5917658537a2b1d8d829a84c3b72d2084fca2fe9a96bef0371242119f211a4 |
C:\Program Files (x86)\Rockstar Games\GTAIII\movies\GTAtitlesGER.mpg
| MD5 | 202a663fea111c8a5bd18e2310c1f7c6 |
| SHA1 | 76b86161f44379526a8826b5722b9b869c91594a |
| SHA256 | d085d75b268d35092d72ddf92d949c19d25d448bae73f24d8f63f19576e80e43 |
| SHA512 | 2d4d9103a5083d1057a6b94363d1356773a52fe0cbd87190c8fcbadbd638feb50650df800c3fe321dd47abbb69114f4a38e75c051f81e5ad1c6e75b60932c102 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-10 01:14
Reported
2024-11-10 01:18
Platform
win11-20241023-en
Max time kernel
84s
Max time network
96s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2972 wrote to memory of 4416 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2972 wrote to memory of 4416 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2972 wrote to memory of 4416 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\drvmgt.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\drvmgt.dll,#1
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-10 01:14
Reported
2024-11-10 01:18
Platform
win11-20241007-en
Max time kernel
147s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\secdrv.sys
C:\Users\Admin\AppData\Local\Temp\secdrv.sys
C:\Users\Admin\AppData\Local\Temp\secdrv.sys
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/1772-0-0x0000000000010000-0x0000000000016E00-memory.dmp