Analysis Overview
SHA256
b0469b884ce50fd51a6ca3b1a599b985c92dd777bebf2b796b1bdcfd8928f5e0
Threat Level: Shows suspicious behavior
The file GTAIII (CD1).iso was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Checks installed software on the system
Adds Run key to start application
Drops file in Program Files directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy service COM API
Checks SCSI registry key(s)
Uses Task Scheduler COM API
Modifies registry class
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Uses Volume Shadow Copy WMI provider
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-10 01:18
Reported
2024-11-10 01:32
Platform
win11-20241007-en
Max time kernel
433s
Max time network
452s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\00000809.016
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-10 01:18
Reported
2024-11-10 01:32
Platform
win11-20241023-en
Max time kernel
438s
Max time network
449s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DXSetup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DXSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DXSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DXSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DXSetup.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\DirectX RunTime\DX81Win2000.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Directx.log | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DXSetup.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DirectX RunTime\DX81Win2000.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DXSetup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3664 wrote to memory of 4464 | N/A | C:\Users\Admin\AppData\Local\Temp\DirectX RunTime\DX81Win2000.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DXSetup.exe |
| PID 3664 wrote to memory of 4464 | N/A | C:\Users\Admin\AppData\Local\Temp\DirectX RunTime\DX81Win2000.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DXSetup.exe |
| PID 3664 wrote to memory of 4464 | N/A | C:\Users\Admin\AppData\Local\Temp\DirectX RunTime\DX81Win2000.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DXSetup.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\DirectX RunTime\DX81Win2000.exe
"C:\Users\Admin\AppData\Local\Temp\DirectX RunTime\DX81Win2000.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DXSetup.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DXSetup.exe /packageinstall
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxsetup.exe
| MD5 | c247f3544b1a7cfb76c6bc4093f9a275 |
| SHA1 | f361df15912830813ed57c5517b2166fc40fba22 |
| SHA256 | 89e7e2504984c260ae53d06d75879808c558e1b9c007d1825bcf1eb1d29bcdaa |
| SHA512 | 0b7d4428d28209514ce1ceecc212476a3184f831e28808b5295c17f23c3861de75ba7f725af6705d1e546b16e260a6ac8d3d989b9f38e98a0960c00f3056b1f0 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DSETUP.DLL
| MD5 | 4f5f399a970a921f883975a2228a1c8c |
| SHA1 | f2c39bde79a6d91f8e35dd4eee5ebed4573c5615 |
| SHA256 | 0fdfff9a5db0bd4b16a9663a6616308c511a21e3bec0bbed60ddfa2597c73acf |
| SHA512 | 7a03587c77eaad433fb49694b9cabbc0bda8e8554a97ee3ec63ca09dd7df37cae0031c1b9b52ab4d76d45fd847adf5a7680bb0dc803166ce4fb4cfc12aa017ef |
memory/4464-576-0x0000000000590000-0x000000000059C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DSETUP32.DLL
| MD5 | 833081979e1590bd9e7910b1ca44ddd0 |
| SHA1 | 79e741aaa0f6f1707cc6071b69fbd79d0375f181 |
| SHA256 | 72b472f42fa4c0847a458a426753858ffdbbc35c0a00cf29c27bbf70af055d3c |
| SHA512 | f7eb86386278d68580b4e46763972e55db07a64a6accfd4e7b76ad0e59f60180c354395ae3ab94a1a2f4ec36444587593c68ba430f27664fac0cb0904bfcac98 |
memory/4464-581-0x0000000000660000-0x0000000000697000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-11-10 01:18
Reported
2024-11-10 01:32
Platform
win11-20241007-en
Max time kernel
440s
Max time network
447s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\data1.cab
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-11-10 01:18
Reported
2024-11-10 01:32
Platform
win11-20241007-en
Max time kernel
425s
Max time network
440s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ikernel.ex_
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-10 01:18
Reported
2024-11-10 01:32
Platform
win11-20241007-en
Max time kernel
428s
Max time network
464s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\00000409.016
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-10 01:18
Reported
2024-11-10 01:32
Platform
win11-20241007-en
Max time kernel
423s
Max time network
453s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\00000409.256
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-10 01:18
Reported
2024-11-10 01:32
Platform
win11-20241007-en
Max time kernel
426s
Max time network
452s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\00000410.256
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-10 01:18
Reported
2024-11-10 01:32
Platform
win11-20241007-en
Max time kernel
412s
Max time network
466s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\00000809.256
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-11-10 01:18
Reported
2024-11-10 01:32
Platform
win11-20241007-en
Max time kernel
434s
Max time network
460s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\data2.cab
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:18
Reported
2024-11-10 01:22
Platform
win11-20241007-en
Max time kernel
39s
Max time network
46s
Command Line
Signatures
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\GTAIII (CD1).iso"
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "C:\Users\Admin\Desktop\AssertRepair.potm"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| NL | 52.109.89.19:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | 1e7dd00b69af4d51fb747a9f42c6cffa |
| SHA1 | 496cdb3187d75b73c0cd72c69cd8d42d3b97bca2 |
| SHA256 | bc7aec43a9afb0d07ef7e3b84b5d23a907b6baff367ecd4235a15432748f1771 |
| SHA512 | d5227d3df5513d7d0d7fb196eef014e54094c5ed8c5d31207b319e12480433f1424d49df759a7a2aefc6a69cef6bf2a0cc45d05660e618dc2ec9a2b082b7b5f7 |
memory/4668-9-0x00007FFD97F70000-0x00007FFD97F80000-memory.dmp
memory/4668-10-0x00007FFD97F70000-0x00007FFD97F80000-memory.dmp
memory/4668-11-0x00007FFD97F70000-0x00007FFD97F80000-memory.dmp
memory/4668-8-0x00007FFD97F70000-0x00007FFD97F80000-memory.dmp
memory/4668-7-0x00007FFD97F70000-0x00007FFD97F80000-memory.dmp
memory/4668-12-0x00007FFD953D0000-0x00007FFD953E0000-memory.dmp
memory/4668-13-0x00007FFD953D0000-0x00007FFD953E0000-memory.dmp
memory/4668-35-0x00007FFD97F70000-0x00007FFD97F80000-memory.dmp
memory/4668-38-0x00007FFD97F70000-0x00007FFD97F80000-memory.dmp
memory/4668-37-0x00007FFD97F70000-0x00007FFD97F80000-memory.dmp
memory/4668-36-0x00007FFD97F70000-0x00007FFD97F80000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:18
Reported
2024-11-10 01:31
Platform
win11-20241007-en
Max time kernel
429s
Max time network
431s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\out.iso
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-10 01:18
Reported
2024-11-10 01:32
Platform
win11-20241023-en
Max time kernel
433s
Max time network
443s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\0000040c.016
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-10 01:18
Reported
2024-11-10 01:32
Platform
win11-20241007-en
Max time kernel
432s
Max time network
439s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\00000410.016
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-11-10 01:18
Reported
2024-11-10 01:32
Platform
win11-20241007-en
Max time kernel
419s
Max time network
429s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Setup.ini
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-11-10 01:18
Reported
2024-11-10 01:32
Platform
win11-20241007-en
Max time kernel
435s
Max time network
490s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\autorun.inf
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-11-10 01:18
Reported
2024-11-10 01:32
Platform
win11-20241007-en
Max time kernel
438s
Max time network
450s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\layout.bin
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-11-10 01:18
Reported
2024-11-10 01:32
Platform
win11-20241007-en
Max time kernel
427s
Max time network
464s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\secdrv.sys
C:\Users\Admin\AppData\Local\Temp\secdrv.sys
C:\Users\Admin\AppData\Local\Temp\secdrv.sys
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/2980-0-0x0000000000010000-0x0000000000016E00-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-10 01:18
Reported
2024-11-10 01:32
Platform
win11-20241007-en
Max time kernel
430s
Max time network
436s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\00000c0a.016
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-10 01:18
Reported
2024-11-10 01:32
Platform
win11-20241007-en
Max time kernel
424s
Max time network
438s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\00000c0a.256
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-10 01:18
Reported
2024-11-10 01:32
Platform
win11-20241007-en
Max time kernel
434s
Max time network
452s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DirectX RunTime\DX81win98_ME.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\DirectX RunTime\DX81win98_ME.exe
"C:\Users\Admin\AppData\Local\Temp\DirectX RunTime\DX81win98_ME.exe"
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-11-10 01:18
Reported
2024-11-10 01:32
Platform
win11-20241007-en
Max time kernel
425s
Max time network
456s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Setup.bmp
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-10 01:18
Reported
2024-11-10 01:32
Platform
win11-20241007-en
Max time kernel
426s
Max time network
488s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\00000407.256
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-10 01:18
Reported
2024-11-10 01:32
Platform
win11-20241007-en
Max time kernel
429s
Max time network
435s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\0000040c.256
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-11-10 01:18
Reported
2024-11-10 01:32
Platform
win11-20241007-en
Max time kernel
437s
Max time network
444s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| N/A | N/A | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
Loads dropped DLL
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Common Files\InstallShield\IScript\iscrcc1a.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\InstallShield Installation Information\{92B94569-6683-4617-8C54-EB27A1B51B30}\setu482f.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\data\obje4e1b.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\train.dat | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\models\generic.txd | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\pedstats.dat | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\surface.dat | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\TEXT\ital5937.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\data\fist4e0b.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\gta3.zon | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\object.dat | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\data\ped4e1b.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\data\weap4e3a.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\comnbtm\comNbtm.ipl | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\movies\GTAt5649.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\txd\LOADSC22.TXD | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\txd\mainsc1.txd | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\Website\webs59d3.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\audio\sfx.RAW | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\waterpro.dat | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\TEXT\fren5937.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\gta3.exe | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\data\time4e2b.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\industSE.ipl | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\industne\industNE.col | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\ReadMe\ReadMe_FRENCH.txt | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\TEXT\amer5927.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\txd\LOAD5966.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\txd\LOADSC17.TXD | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\txd\LOADSC6.TXD | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\InstallShield Installation Information\{92B94569-6683-4617-8C54-EB27A1B51B30}\setup.ini | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\anim\cuts.img | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\weapon.dat | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\comroad\comroad.col | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\industsw\industSW.ipl | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\paths\CHASE14.DAT | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\ReadMe\ReadMe_GERMAN.txt | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\txd\SPLASH3.TXD | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\data\pedg4e1b.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\gta3.IDE | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\comse\comS4e88.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\temppart\temppart.ide | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\temppart\temppart.ipl | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\Icons\gta3.ico | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\paths\CHASE10.DAT | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\data\paths\CHAS4f15.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\models\Coll\suburb.col | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\InstallShield Installation Information\{92B94569-6683-4617-8C54-EB27A1B51B30}\Setup.ini | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\anim\cuts.dir | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\anim\gta34a43.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\audio\sfx.SDT | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\gta3.dat | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\data\hand4e0b.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\comroad\comr4e79.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\txd\LOAD5956.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\txd\LOADSC11.TXD | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\data\gta34e0b.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\data\map.zon | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\models\gta3.dir | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Rockstar Games\GTAIII\mss\Mssrsx.m3d | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\txd\LOAD5995.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File created | C:\Program Files (x86)\Rockstar Games\GTAIII\txd\NEWS59c3.rra | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor.dll | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008e4795fcec2d58710000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008e4795fc0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809008e4795fc000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d8e4795fc000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008e4795fc00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91814EC5-B5F0-11D2-80B9-00104B1F6CEA}\ = "ISetupComponents" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{761C8359-55AF-4E7B-9C83-C1A927E0F617} | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.ScriptObjectWrapper.1 | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA7E2086-CB55-11D2-8094-00104B1F9838} | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22D84EC7-E201-4432-B3ED-A9DCA3604594}\LocalServer32\ = "C:\\PROGRA~2\\COMMON~1\\INSTAL~1\\Engine\\6\\INTEL3~1\\IKernel.exe" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3EE77D8B-40C1-4A2A-9B77-421907F02058}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2062-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}" | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B964AF40-4AB7-11D3-A908-00105A088FAC}\ProxyStubClsid32 | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDF8B49D-16D0-49A5-B133-ABE7DCC23DAF}\TypeLib | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}\1.0\0\win32\ = "C:\\Program Files (x86)\\Common Files\\InstallShield\\IScript\\iscript.dll" | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}\LocalServer32\ = "C:\\PROGRA~2\\COMMON~1\\INSTAL~1\\engine\\6\\INTEL3~1\\iKernel.exe" | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4FF39BB-1A05-11D3-8896-00C04F72F303}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F9922A2-F026-11D2-8822-00C04F72F303}\ = "ISetupObjectContext" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DAB9BF17-267D-11D3-88B6-00C04F72F303}\TypeLib\Version = "1.0" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.User.1\ = "InstallShield setup user interafce" | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}\1.0\HELPDIR | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EDC2C10-66FE-11D3-A90F-00105A088FAC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\Version = "1.0" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2065-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2084-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2084-CB55-11D2-8094-00104B1F9838}\TypeLib\Version = "1.0" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80FDE82A-2CAA-11D3-88C3-00C04F72F303}\TypeLib\Version = "1.0" | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}" | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{94F4A332-A2AE-11D3-8378-00C04F59FBE9}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}" | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.Kernel\CLSID | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2062-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2064-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32 | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{61892D50-28EF-11D3-A8FF-00105A088FAC}\TypeLib | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{94F4A332-A2AE-11D3-8378-00C04F59FBE9}\ProxyStubClsid32 | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{44D61997-B7D4-11D2-80BA-00104B1F6CEA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91814EC3-B5F0-11D2-80B9-00104B1F6CEA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CFCFE67-0BB8-43E0-8425-378D0A02ACE4}\ = "ISetupCABFile2" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F9922A2-F026-11D2-8822-00C04F72F303}\TypeLib | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65D37452-0EBB-11D3-887B-00C04F72F303}\TypeLib\Version = "1.0" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27D2CF3C-D5B0-11D2-8094-00104B1F9838}\1.0\FLAGS\ = "0" | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C8D0880-1AC4-11D3-A8FF-00105A088FAC}\ProxyStubClsid32 | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{61892D50-28EF-11D3-A8FF-00105A088FAC}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}" | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EDE94BF2-4FB9-11D5-ABAB-00B0D02332EB}\ = "ISetupScriptEngine2" | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}\ProgID | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F9922A2-F026-11D2-8822-00C04F72F303}\TypeLib\Version = "1.0" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7BB118F1-6D5B-470E-82D0-AFB042724560}\ProxyStubClsid32 | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65D37452-0EBB-11D3-887B-00C04F72F303} | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{94F4A332-A2AE-11D3-8378-00C04F59FBE9} | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EDE94BF2-4FB9-11D5-ABAB-00B0D02332EB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{91814EC5-B5F0-11D2-80B9-00104B1F6CEA}\ = "ISetupComponents" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D4FF39BB-1A05-11D3-8896-00C04F72F303}\TypeLib\Version = "1.0" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D4FF39B9-1A05-11D3-8896-00C04F72F303}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B14-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D4FF39B9-1A05-11D3-8896-00C04F72F303}\ProxyStubClsid32 | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4AAC3B1-C547-11D3-B289-00C04F59FBE9}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3EDC2C10-66FE-11D3-A90F-00105A088FAC}\TypeLib | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{112EB4F0-5A48-11D3-A90A-00105A088FAC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{94F4A332-A2AE-11D3-8378-00C04F59FBE9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32 | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B15A454-9067-4878-B10E-B9DFFE03049D} | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91814EBF-B5F0-11D2-80B9-00104B1F6CEA} | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF57A6F0-4101-11D3-88F6-00C04F72F303}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65D37452-0EBB-11D3-887B-00C04F72F303}\ = "ISetupRegistry" | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6494206F-23EA-11D3-88B0-00C04F72F303}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}" | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303} | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4DFB7010-41EB-11D3-BBBA-00105A1F0D68}\TypeLib\ = "{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}" | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2068-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" | C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2068-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32 | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
"C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe" -RegServer
C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe
C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe -Embedding
C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe
"C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe" /REGSERVER
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
Network
Files
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
| MD5 | bf25eb6a1e0aa2fff0cb190270b95418 |
| SHA1 | 79cad1291ac8b042af8454328ef7c71ce04a7c9d |
| SHA256 | 4535320c5b9596a6210109f68c647dbdbd0289ba63286fd389dea910855491f1 |
| SHA512 | 66a4ee419548e63c0a007be91ad58d5e1a6cf37e5df70a5da7ddcc0a1f4831bb42ba67c6cc8ce3d54b99fa77a9249ace9b5cc4836e957103b9901484bb04337b |
C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\corecomp.ini
| MD5 | 62d5f9827d867eb3e4ab9e6b338348a1 |
| SHA1 | 828e72f9c845b1c0865badaef40d63fb36447293 |
| SHA256 | 5214789c08ee573e904990dcd29e9e03aaf5cf12e86fae368005fd8f4e371bd5 |
| SHA512 | b38bb74dc2e528c2a58a7d14a07bd1ecaaf55168b53afc8f4718f3bf5d6f8c8b922b98551a355ebb1009f23cff02fd8596413468993a43756c4de7dfed573732 |
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
| MD5 | 003a6c011aac993bcde8c860988ce49b |
| SHA1 | 6d39d650dfa5ded45c4e0cb17b986893061104a7 |
| SHA256 | 590be865ddf8c8d0431d8f92aa3948cc3c1685fd0649d607776b81cd1e267d0a |
| SHA512 | 032aba4403eb45646aa1413fdc6c5d08baab4d0306d20b4209e70c84e47f6b72e68457bbc4331a5f1a5fa44aa776a89eb9fd29d0d956fa2fe11364c26ab09ee7 |
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
| MD5 | 8f02b204853939f8aefe6b07b283be9a |
| SHA1 | c161b9374e67d5fa3066ea03fc861cc0023eb3cc |
| SHA256 | 32c6ad91dc66bc12e1273b1e13eb7a15d6e8f63b93447909ca2163dd21b22998 |
| SHA512 | 8df23b7d80a4dd32c484ca3bd1922e11938d7ecda9fc5fd5045eed882054efca7b7131ea109c4f20d8279845ffeb50ef46fb7419d190b8cf307eb00168746e59 |
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
| MD5 | 377765fd4de3912c0f814ee9f182feda |
| SHA1 | a0ab6a28f4ba057d5eae5c223420eb599cd4d3b1 |
| SHA256 | 8efcbd8752d8bbfd7ee559502d1aa28134c9bf391bf7fc5ce6fdfd4473599afb |
| SHA512 | 31befb11715f78043b7684287b4086ce003cb66f97c6eff8c2b438eae29045d8856172c6b898be9f08c139edc4647c2bce000da497aed208b7a5a69d4d90c710 |
C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll
| MD5 | b2f7e6dc7e4aae3147fbfc74a2ddb365 |
| SHA1 | 716301112706e93f85977d79f0e8f18f17fb32a7 |
| SHA256 | 4f77a9018b6b0d41151366e9acab3397416d114fc895703deb82b20f40116ad1 |
| SHA512 | e6ae396bd9b4f069b5fafe135c0f83718cc236d1cf9007db7305bd5442c86483c0f1e0fad9cd6d547e8715278e23e6fafa973c63ebbe998a31a2153dbbbe7f83 |
memory/2252-99-0x0000000000920000-0x0000000000933000-memory.dmp
memory/2252-105-0x0000000003480000-0x00000000034B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{92B94569-6683-4617-8C54-EB27A1B51B30}\isrt.dll
| MD5 | 61c056d2df7ab769d6fd801869b828a9 |
| SHA1 | 4213d0395692fa4181483ffb04eef4bda22cceee |
| SHA256 | 148d8f53bba9a8d5558b192fb4919a5b0d9cb7fd9f8e481660f8667de4e89b66 |
| SHA512 | a2da2558c44e80973badc2e5f283cec254a12dfbcc66c352c8f394e03b1e50f98551303eab6f7995ac4afd5a503bd29b690d778b0526233efc781695ed9e9172 |
memory/2252-119-0x0000000003AC0000-0x0000000003AEC000-memory.dmp
memory/2252-113-0x00000000035E0000-0x0000000003633000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{92B94569-6683-4617-8C54-EB27A1B51B30}\_IsRes.dll
| MD5 | 48ea604d4fa7d9af5b121c04db6a2fec |
| SHA1 | dc3c04977106bc1fbf1776a6b27899d7b81fb937 |
| SHA256 | cbe8127704f36adcc6adbab60df55d1ff8fb7e600f1337fb9c4a59644ba7aa2b |
| SHA512 | 9206a1235ce6bd8ceda0ff80fc01842e9cbbeb16267b4a875a0f1e6ea202fd4cbd1a52f8a51bed35a2b38252eb2b2cd2426dc7d24b1ea715203cc0935d612707 |
C:\Users\Admin\AppData\Local\Temp\{92B94569-6683-4617-8C54-EB27A1B51B30}\setup.inx
| MD5 | f3c79c972c0efb3d3b24ac01b013af04 |
| SHA1 | 856c12f6c90ed9be470c568df06bd086885ac464 |
| SHA256 | d3308c03573f3d0f9f857c2e7bbb5bca38a1012341005138870c9fdc30d82adf |
| SHA512 | 3c560749df1405c0374484f1a8473c6713dd12d9b5610648fede9e21d48892b4b4f9d33f70cd74edfa8ddaf17223f795b9a78002265561fd42cd76884b094b2a |
C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\comnbtm\comNbtm.ipl
| MD5 | 5c313e6b51d76195c0f717bfa48a3a64 |
| SHA1 | 0205ead687dd54ff6bca4facfb017867c6bcba25 |
| SHA256 | 5b40564f0e41e816dbfb78dfc6ab3d63206f2e0dd6bca48bc16ad80d24b0fc0a |
| SHA512 | cfa5d5e7534575bd603f80251a58354398cb23d356ec1bac4f2733f5046f8c7c0612354bfee3af75e7183c0b64ed4da8fa12ec1faf0910e0a300389b5285e323 |
C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\comntop\comNtop.ipl
| MD5 | 49cffb707d6086725fea02aa0becca61 |
| SHA1 | fc69da4751506a8e956273457f31efb5b77f112d |
| SHA256 | dc4f41787d84508068f91c60edf0585b2d3333401c84d4b2bf2aea9c1e03d2c7 |
| SHA512 | f99770f0d60eabcf86e2218552d14eb72cb50a55c0ded25486c1af8db733aee7e6eba130aea15abe4147432f0a982db078293a2bfab9eb66769019cb3d493d9d |
C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\comse\comSE.ipl
| MD5 | f8bf802c0d8ef94fd0debea7d2c5b062 |
| SHA1 | fe0583bfbbc6942e736d3404ca756ef9ad99e1cd |
| SHA256 | 89184f15ef8fcb78afdc8eb0cb2fe211f75373c8bf13ae8b6953b483a43d5e61 |
| SHA512 | 129a923636472c0346df91bd25506f896ef99b7b827d9b19a649bdb261b00e8dac5acb1125494a0d3fc868d5adf3157186b200884d57a68aa2ce85c775313b47 |
C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\comsw\comSW.ipl
| MD5 | 58436be13920cd4827699de686e05b0e |
| SHA1 | 8e98e21316f238812a77950adb9bd949c024282b |
| SHA256 | ecdb2c8b3160711546da881f3ee87990426f67c3acb3548c2fa51b48b3b441bb |
| SHA512 | 3bcaacf155d379a1f38e8b1eef0df14984e52387064d3118a065e780031e3f6c63857a6556db9d974193e583a9067aff81f53a072c4e37be4111078c39bc1e25 |
C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\industse\industSE.ipl
| MD5 | 87a427e81c81c223e20a82906aff91cf |
| SHA1 | 1ae310730144f9b47ab65c2dffc0a0be53206e11 |
| SHA256 | 7c012c51317d7e1305fe8bb24c62075af816ef3f6c9a9beb58d46f6e855c2ba8 |
| SHA512 | 48942ea58f232882be6ede1765be55b4530a58a8734b379de9856a2876d3d5a1fafbe8673a1a231db11689f071978a913025f888aa0e6e71d47be849e7608b58 |
C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\industsw\industSW.ipl
| MD5 | 756d445299812e430fa77faf8695a436 |
| SHA1 | 20eeac1bc4df940363100a1f68fd57e997cf9146 |
| SHA256 | cac6c6117a6bb73654d42643b9e81ae89278ce82dca52acd626565229e8bbbd1 |
| SHA512 | 2bb45dd91b444768db4a3814f5f46dd9be8aecfc6c419af225b288d5266db2da0cc9dde3e577586d3c03a5dfe7ab73f695de0aa4ae514de69d390d512a4d4423 |
C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\landne\landne.ipl
| MD5 | 90e76aa9ea1d6de6c74e9cfa2276bc0a |
| SHA1 | 9a5c05ceb612f031429e561829d44c3167f96ded |
| SHA256 | 8e5479895047d275869f47235ba217237a09dab7cdc5c4de949ec25238472767 |
| SHA512 | bcaa779df8a38798eb639472f47ce32986762ffe7d5f294a5ba66612970b629ce5463d2446785a5f1a4cbb6d99d3d5e6a97ccb02e8270a70ca80a1affeccff8b |
C:\Program Files (x86)\Rockstar Games\GTAIII\models\Generic\player.bmp
| MD5 | a5b4affb8b9ebff7f920cc072d91d3b1 |
| SHA1 | 3b34ec9bcfa615e82b4298e55189cd063676bb52 |
| SHA256 | 94d230e38345c5a4e7ac654f3f934c4863f8ac0a9835922e9abc4626146b712a |
| SHA512 | 4ec06ad30f8eabc9e261220248d9150a8edb514f2473539d46991b068e7338852d5917658537a2b1d8d829a84c3b72d2084fca2fe9a96bef0371242119f211a4 |
C:\Program Files (x86)\Rockstar Games\GTAIII\movies\GTAtitlesGER.mpg
| MD5 | 202a663fea111c8a5bd18e2310c1f7c6 |
| SHA1 | 76b86161f44379526a8826b5722b9b869c91594a |
| SHA256 | d085d75b268d35092d72ddf92d949c19d25d448bae73f24d8f63f19576e80e43 |
| SHA512 | 2d4d9103a5083d1057a6b94363d1356773a52fe0cbd87190c8fcbadbd638feb50650df800c3fe321dd47abbb69114f4a38e75c051f81e5ad1c6e75b60932c102 |
Analysis: behavioral23
Detonation Overview
Submitted
2024-11-10 01:18
Reported
2024-11-10 01:32
Platform
win11-20241007-en
Max time kernel
441s
Max time network
448s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\data1.hdr
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-10 01:18
Reported
2024-11-10 01:32
Platform
win11-20241007-en
Max time kernel
421s
Max time network
440s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\00000001.tmp
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-10 01:18
Reported
2024-11-10 01:32
Platform
win11-20241007-en
Max time kernel
438s
Max time network
444s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\00000407.016
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-11-10 01:18
Reported
2024-11-10 01:32
Platform
win11-20241007-en
Max time kernel
429s
Max time network
490s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4848 wrote to memory of 3048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4848 wrote to memory of 3048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4848 wrote to memory of 3048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\drvmgt.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\drvmgt.dll,#1
Network
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-11-10 01:18
Reported
2024-11-10 01:32
Platform
win11-20241007-en
Max time kernel
423s
Max time network
455s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\setup.inx
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |