Malware Analysis Report

2024-12-01 01:19

Sample ID 241110-bpbbkawfng
Target GTAIII (CD1).iso
SHA256 b0469b884ce50fd51a6ca3b1a599b985c92dd777bebf2b796b1bdcfd8928f5e0
Tags
discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b0469b884ce50fd51a6ca3b1a599b985c92dd777bebf2b796b1bdcfd8928f5e0

Threat Level: Shows suspicious behavior

The file GTAIII (CD1).iso was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Modifies registry class

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Uses Volume Shadow Copy WMI provider

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-10 01:18

Reported

2024-11-10 01:32

Platform

win11-20241007-en

Max time kernel

433s

Max time network

452s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\00000809.016

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\00000809.016

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-10 01:18

Reported

2024-11-10 01:32

Platform

win11-20241023-en

Max time kernel

438s

Max time network

449s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DirectX RunTime\DX81Win2000.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DXSetup.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\DirectX RunTime\DX81Win2000.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Directx.log C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DXSetup.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DirectX RunTime\DX81Win2000.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DXSetup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DirectX RunTime\DX81Win2000.exe

"C:\Users\Admin\AppData\Local\Temp\DirectX RunTime\DX81Win2000.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DXSetup.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DXSetup.exe /packageinstall

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxsetup.exe

MD5 c247f3544b1a7cfb76c6bc4093f9a275
SHA1 f361df15912830813ed57c5517b2166fc40fba22
SHA256 89e7e2504984c260ae53d06d75879808c558e1b9c007d1825bcf1eb1d29bcdaa
SHA512 0b7d4428d28209514ce1ceecc212476a3184f831e28808b5295c17f23c3861de75ba7f725af6705d1e546b16e260a6ac8d3d989b9f38e98a0960c00f3056b1f0

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DSETUP.DLL

MD5 4f5f399a970a921f883975a2228a1c8c
SHA1 f2c39bde79a6d91f8e35dd4eee5ebed4573c5615
SHA256 0fdfff9a5db0bd4b16a9663a6616308c511a21e3bec0bbed60ddfa2597c73acf
SHA512 7a03587c77eaad433fb49694b9cabbc0bda8e8554a97ee3ec63ca09dd7df37cae0031c1b9b52ab4d76d45fd847adf5a7680bb0dc803166ce4fb4cfc12aa017ef

memory/4464-576-0x0000000000590000-0x000000000059C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DSETUP32.DLL

MD5 833081979e1590bd9e7910b1ca44ddd0
SHA1 79e741aaa0f6f1707cc6071b69fbd79d0375f181
SHA256 72b472f42fa4c0847a458a426753858ffdbbc35c0a00cf29c27bbf70af055d3c
SHA512 f7eb86386278d68580b4e46763972e55db07a64a6accfd4e7b76ad0e59f60180c354395ae3ab94a1a2f4ec36444587593c68ba430f27664fac0cb0904bfcac98

memory/4464-581-0x0000000000660000-0x0000000000697000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-10 01:18

Reported

2024-11-10 01:32

Platform

win11-20241007-en

Max time kernel

440s

Max time network

447s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\data1.cab

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\data1.cab

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-10 01:18

Reported

2024-11-10 01:32

Platform

win11-20241007-en

Max time kernel

425s

Max time network

440s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\ikernel.ex_

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\ikernel.ex_

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-10 01:18

Reported

2024-11-10 01:32

Platform

win11-20241007-en

Max time kernel

428s

Max time network

464s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\00000409.016

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\00000409.016

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-10 01:18

Reported

2024-11-10 01:32

Platform

win11-20241007-en

Max time kernel

423s

Max time network

453s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\00000409.256

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\00000409.256

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-10 01:18

Reported

2024-11-10 01:32

Platform

win11-20241007-en

Max time kernel

426s

Max time network

452s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\00000410.256

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\00000410.256

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-10 01:18

Reported

2024-11-10 01:32

Platform

win11-20241007-en

Max time kernel

412s

Max time network

466s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\00000809.256

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\00000809.256

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-10 01:18

Reported

2024-11-10 01:32

Platform

win11-20241007-en

Max time kernel

434s

Max time network

460s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\data2.cab

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\data2.cab

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:18

Reported

2024-11-10 01:22

Platform

win11-20241007-en

Max time kernel

39s

Max time network

46s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\GTAIII (CD1).iso"

Signatures

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Windows\system32\cmd.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\GTAIII (CD1).iso"

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE

"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "C:\Users\Admin\Desktop\AssertRepair.potm"

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 1e7dd00b69af4d51fb747a9f42c6cffa
SHA1 496cdb3187d75b73c0cd72c69cd8d42d3b97bca2
SHA256 bc7aec43a9afb0d07ef7e3b84b5d23a907b6baff367ecd4235a15432748f1771
SHA512 d5227d3df5513d7d0d7fb196eef014e54094c5ed8c5d31207b319e12480433f1424d49df759a7a2aefc6a69cef6bf2a0cc45d05660e618dc2ec9a2b082b7b5f7

memory/4668-9-0x00007FFD97F70000-0x00007FFD97F80000-memory.dmp

memory/4668-10-0x00007FFD97F70000-0x00007FFD97F80000-memory.dmp

memory/4668-11-0x00007FFD97F70000-0x00007FFD97F80000-memory.dmp

memory/4668-8-0x00007FFD97F70000-0x00007FFD97F80000-memory.dmp

memory/4668-7-0x00007FFD97F70000-0x00007FFD97F80000-memory.dmp

memory/4668-12-0x00007FFD953D0000-0x00007FFD953E0000-memory.dmp

memory/4668-13-0x00007FFD953D0000-0x00007FFD953E0000-memory.dmp

memory/4668-35-0x00007FFD97F70000-0x00007FFD97F80000-memory.dmp

memory/4668-38-0x00007FFD97F70000-0x00007FFD97F80000-memory.dmp

memory/4668-37-0x00007FFD97F70000-0x00007FFD97F80000-memory.dmp

memory/4668-36-0x00007FFD97F70000-0x00007FFD97F80000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:18

Reported

2024-11-10 01:31

Platform

win11-20241007-en

Max time kernel

429s

Max time network

431s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\out.iso

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\out.iso

Network

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-10 01:18

Reported

2024-11-10 01:32

Platform

win11-20241023-en

Max time kernel

433s

Max time network

443s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\0000040c.016

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\0000040c.016

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-10 01:18

Reported

2024-11-10 01:32

Platform

win11-20241007-en

Max time kernel

432s

Max time network

439s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\00000410.016

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\00000410.016

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-10 01:18

Reported

2024-11-10 01:32

Platform

win11-20241007-en

Max time kernel

419s

Max time network

429s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Setup.ini

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Setup.ini

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-10 01:18

Reported

2024-11-10 01:32

Platform

win11-20241007-en

Max time kernel

435s

Max time network

490s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\autorun.inf

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\autorun.inf

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-10 01:18

Reported

2024-11-10 01:32

Platform

win11-20241007-en

Max time kernel

438s

Max time network

450s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\layout.bin

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\layout.bin

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-10 01:18

Reported

2024-11-10 01:32

Platform

win11-20241007-en

Max time kernel

427s

Max time network

464s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\secdrv.sys

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\secdrv.sys

C:\Users\Admin\AppData\Local\Temp\secdrv.sys

C:\Users\Admin\AppData\Local\Temp\secdrv.sys

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/2980-0-0x0000000000010000-0x0000000000016E00-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-10 01:18

Reported

2024-11-10 01:32

Platform

win11-20241007-en

Max time kernel

430s

Max time network

436s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\00000c0a.016

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\00000c0a.016

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-10 01:18

Reported

2024-11-10 01:32

Platform

win11-20241007-en

Max time kernel

424s

Max time network

438s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\00000c0a.256

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\00000c0a.256

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-10 01:18

Reported

2024-11-10 01:32

Platform

win11-20241007-en

Max time kernel

434s

Max time network

452s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DirectX RunTime\DX81win98_ME.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DirectX RunTime\DX81win98_ME.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DirectX RunTime\DX81win98_ME.exe

"C:\Users\Admin\AppData\Local\Temp\DirectX RunTime\DX81win98_ME.exe"

Network

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-10 01:18

Reported

2024-11-10 01:32

Platform

win11-20241007-en

Max time kernel

425s

Max time network

456s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Setup.bmp

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Setup.bmp

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-10 01:18

Reported

2024-11-10 01:32

Platform

win11-20241007-en

Max time kernel

426s

Max time network

488s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\00000407.256

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\00000407.256

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-10 01:18

Reported

2024-11-10 01:32

Platform

win11-20241007-en

Max time kernel

429s

Max time network

435s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\0000040c.256

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\0000040c.256

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-10 01:18

Reported

2024-11-10 01:32

Platform

win11-20241007-en

Max time kernel

437s

Max time network

444s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\InstallShield\IScript\iscrcc1a.rra C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File created C:\Program Files (x86)\InstallShield Installation Information\{92B94569-6683-4617-8C54-EB27A1B51B30}\setu482f.rra C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File created C:\Program Files (x86)\Rockstar Games\GTAIII\data\obje4e1b.rra C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\data\train.dat C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\models\generic.txd C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\data\pedstats.dat C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\data\surface.dat C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File created C:\Program Files (x86)\Rockstar Games\GTAIII\TEXT\ital5937.rra C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File created C:\Program Files (x86)\Rockstar Games\GTAIII\data\fist4e0b.rra C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\data\gta3.zon C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\data\object.dat C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File created C:\Program Files (x86)\Rockstar Games\GTAIII\data\ped4e1b.rra C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File created C:\Program Files (x86)\Rockstar Games\GTAIII\data\weap4e3a.rra C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\comnbtm\comNbtm.ipl C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File created C:\Program Files (x86)\Rockstar Games\GTAIII\movies\GTAt5649.rra C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\txd\LOADSC22.TXD C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\txd\mainsc1.txd C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File created C:\Program Files (x86)\Rockstar Games\GTAIII\Website\webs59d3.rra C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\audio\sfx.RAW C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\data\waterpro.dat C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File created C:\Program Files (x86)\Rockstar Games\GTAIII\TEXT\fren5937.rra C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\gta3.exe C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File created C:\Program Files (x86)\Rockstar Games\GTAIII\data\time4e2b.rra C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\industSE.ipl C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\industne\industNE.col C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\ReadMe\ReadMe_FRENCH.txt C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File created C:\Program Files (x86)\Rockstar Games\GTAIII\TEXT\amer5927.rra C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File created C:\Program Files (x86)\Rockstar Games\GTAIII\txd\LOAD5966.rra C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\txd\LOADSC17.TXD C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\txd\LOADSC6.TXD C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\InstallShield Installation Information\{92B94569-6683-4617-8C54-EB27A1B51B30}\setup.ini C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\anim\cuts.img C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\data\weapon.dat C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\comroad\comroad.col C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\industsw\industSW.ipl C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\data\paths\CHASE14.DAT C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\ReadMe\ReadMe_GERMAN.txt C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\txd\SPLASH3.TXD C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Program Files (x86)\Rockstar Games\GTAIII\data\pedg4e1b.rra C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\gta3.IDE C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File created C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\comse\comS4e88.rra C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\temppart\temppart.ide C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\temppart\temppart.ipl C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\Icons\gta3.ico C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\data\paths\CHASE10.DAT C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File created C:\Program Files (x86)\Rockstar Games\GTAIII\data\paths\CHAS4f15.rra C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\models\Coll\suburb.col C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\InstallShield Installation Information\{92B94569-6683-4617-8C54-EB27A1B51B30}\Setup.ini C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\anim\cuts.dir C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File created C:\Program Files (x86)\Rockstar Games\GTAIII\anim\gta34a43.rra C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\audio\sfx.SDT C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\data\gta3.dat C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File created C:\Program Files (x86)\Rockstar Games\GTAIII\data\hand4e0b.rra C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File created C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\comroad\comr4e79.rra C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File created C:\Program Files (x86)\Rockstar Games\GTAIII\txd\LOAD5956.rra C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\txd\LOADSC11.TXD C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File created C:\Program Files (x86)\Rockstar Games\GTAIII\data\gta34e0b.rra C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\data\map.zon C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\models\gta3.dir C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Rockstar Games\GTAIII\mss\Mssrsx.m3d C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File created C:\Program Files (x86)\Rockstar Games\GTAIII\txd\LOAD5995.rra C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File created C:\Program Files (x86)\Rockstar Games\GTAIII\txd\NEWS59c3.rra C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor.dll C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008e4795fcec2d58710000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008e4795fc0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809008e4795fc000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d8e4795fc000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008e4795fc00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91814EC5-B5F0-11D2-80B9-00104B1F6CEA}\ = "ISetupComponents" C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{761C8359-55AF-4E7B-9C83-C1A927E0F617} C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.ScriptObjectWrapper.1 C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA7E2086-CB55-11D2-8094-00104B1F9838} C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22D84EC7-E201-4432-B3ED-A9DCA3604594}\LocalServer32\ = "C:\\PROGRA~2\\COMMON~1\\INSTAL~1\\Engine\\6\\INTEL3~1\\IKernel.exe" C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3EE77D8B-40C1-4A2A-9B77-421907F02058}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2062-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}" C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B964AF40-4AB7-11D3-A908-00105A088FAC}\ProxyStubClsid32 C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDF8B49D-16D0-49A5-B133-ABE7DCC23DAF}\TypeLib C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}\1.0\0\win32\ = "C:\\Program Files (x86)\\Common Files\\InstallShield\\IScript\\iscript.dll" C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}\LocalServer32\ = "C:\\PROGRA~2\\COMMON~1\\INSTAL~1\\engine\\6\\INTEL3~1\\iKernel.exe" C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4FF39BB-1A05-11D3-8896-00C04F72F303}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F9922A2-F026-11D2-8822-00C04F72F303}\ = "ISetupObjectContext" C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DAB9BF17-267D-11D3-88B6-00C04F72F303}\TypeLib\Version = "1.0" C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.User.1\ = "InstallShield setup user interafce" C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}\1.0\HELPDIR C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EDC2C10-66FE-11D3-A90F-00105A088FAC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\Version = "1.0" C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2065-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2084-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2084-CB55-11D2-8094-00104B1F9838}\TypeLib\Version = "1.0" C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80FDE82A-2CAA-11D3-88C3-00C04F72F303}\TypeLib\Version = "1.0" C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}" C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{94F4A332-A2AE-11D3-8378-00C04F59FBE9}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}" C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.Kernel\CLSID C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2062-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2064-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32 C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{61892D50-28EF-11D3-A8FF-00105A088FAC}\TypeLib C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{94F4A332-A2AE-11D3-8378-00C04F59FBE9}\ProxyStubClsid32 C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{44D61997-B7D4-11D2-80BA-00104B1F6CEA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91814EC3-B5F0-11D2-80B9-00104B1F6CEA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CFCFE67-0BB8-43E0-8425-378D0A02ACE4}\ = "ISetupCABFile2" C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F9922A2-F026-11D2-8822-00C04F72F303}\TypeLib C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65D37452-0EBB-11D3-887B-00C04F72F303}\TypeLib\Version = "1.0" C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27D2CF3C-D5B0-11D2-8094-00104B1F9838}\1.0\FLAGS\ = "0" C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C8D0880-1AC4-11D3-A8FF-00105A088FAC}\ProxyStubClsid32 C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{61892D50-28EF-11D3-A8FF-00105A088FAC}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}" C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EDE94BF2-4FB9-11D5-ABAB-00B0D02332EB}\ = "ISetupScriptEngine2" C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}\ProgID C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F9922A2-F026-11D2-8822-00C04F72F303}\TypeLib\Version = "1.0" C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7BB118F1-6D5B-470E-82D0-AFB042724560}\ProxyStubClsid32 C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65D37452-0EBB-11D3-887B-00C04F72F303} C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{94F4A332-A2AE-11D3-8378-00C04F59FBE9} C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EDE94BF2-4FB9-11D5-ABAB-00B0D02332EB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{91814EC5-B5F0-11D2-80B9-00104B1F6CEA}\ = "ISetupComponents" C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D4FF39BB-1A05-11D3-8896-00C04F72F303}\TypeLib\Version = "1.0" C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D4FF39B9-1A05-11D3-8896-00C04F72F303}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B14-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D4FF39B9-1A05-11D3-8896-00C04F72F303}\ProxyStubClsid32 C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4AAC3B1-C547-11D3-B289-00C04F59FBE9}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3EDC2C10-66FE-11D3-A90F-00105A088FAC}\TypeLib C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{112EB4F0-5A48-11D3-A90A-00105A088FAC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{94F4A332-A2AE-11D3-8378-00C04F59FBE9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32 C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B15A454-9067-4878-B10E-B9DFFE03049D} C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91814EBF-B5F0-11D2-80B9-00104B1F6CEA} C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF57A6F0-4101-11D3-88F6-00C04F72F303}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65D37452-0EBB-11D3-887B-00C04F72F303}\ = "ISetupRegistry" C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6494206F-23EA-11D3-88B0-00C04F72F303}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}" C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303} C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4DFB7010-41EB-11D3-BBBA-00105A1F0D68}\TypeLib\ = "{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}" C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2068-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2068-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32 C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe

"C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe" -RegServer

C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe

C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe -Embedding

C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe

"C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe" /REGSERVER

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

Network

Files

C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe

MD5 bf25eb6a1e0aa2fff0cb190270b95418
SHA1 79cad1291ac8b042af8454328ef7c71ce04a7c9d
SHA256 4535320c5b9596a6210109f68c647dbdbd0289ba63286fd389dea910855491f1
SHA512 66a4ee419548e63c0a007be91ad58d5e1a6cf37e5df70a5da7ddcc0a1f4831bb42ba67c6cc8ce3d54b99fa77a9249ace9b5cc4836e957103b9901484bb04337b

C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\corecomp.ini

MD5 62d5f9827d867eb3e4ab9e6b338348a1
SHA1 828e72f9c845b1c0865badaef40d63fb36447293
SHA256 5214789c08ee573e904990dcd29e9e03aaf5cf12e86fae368005fd8f4e371bd5
SHA512 b38bb74dc2e528c2a58a7d14a07bd1ecaaf55168b53afc8f4718f3bf5d6f8c8b922b98551a355ebb1009f23cff02fd8596413468993a43756c4de7dfed573732

C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll

MD5 003a6c011aac993bcde8c860988ce49b
SHA1 6d39d650dfa5ded45c4e0cb17b986893061104a7
SHA256 590be865ddf8c8d0431d8f92aa3948cc3c1685fd0649d607776b81cd1e267d0a
SHA512 032aba4403eb45646aa1413fdc6c5d08baab4d0306d20b4209e70c84e47f6b72e68457bbc4331a5f1a5fa44aa776a89eb9fd29d0d956fa2fe11364c26ab09ee7

C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll

MD5 8f02b204853939f8aefe6b07b283be9a
SHA1 c161b9374e67d5fa3066ea03fc861cc0023eb3cc
SHA256 32c6ad91dc66bc12e1273b1e13eb7a15d6e8f63b93447909ca2163dd21b22998
SHA512 8df23b7d80a4dd32c484ca3bd1922e11938d7ecda9fc5fd5045eed882054efca7b7131ea109c4f20d8279845ffeb50ef46fb7419d190b8cf307eb00168746e59

C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll

MD5 377765fd4de3912c0f814ee9f182feda
SHA1 a0ab6a28f4ba057d5eae5c223420eb599cd4d3b1
SHA256 8efcbd8752d8bbfd7ee559502d1aa28134c9bf391bf7fc5ce6fdfd4473599afb
SHA512 31befb11715f78043b7684287b4086ce003cb66f97c6eff8c2b438eae29045d8856172c6b898be9f08c139edc4647c2bce000da497aed208b7a5a69d4d90c710

C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll

MD5 b2f7e6dc7e4aae3147fbfc74a2ddb365
SHA1 716301112706e93f85977d79f0e8f18f17fb32a7
SHA256 4f77a9018b6b0d41151366e9acab3397416d114fc895703deb82b20f40116ad1
SHA512 e6ae396bd9b4f069b5fafe135c0f83718cc236d1cf9007db7305bd5442c86483c0f1e0fad9cd6d547e8715278e23e6fafa973c63ebbe998a31a2153dbbbe7f83

memory/2252-99-0x0000000000920000-0x0000000000933000-memory.dmp

memory/2252-105-0x0000000003480000-0x00000000034B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{92B94569-6683-4617-8C54-EB27A1B51B30}\isrt.dll

MD5 61c056d2df7ab769d6fd801869b828a9
SHA1 4213d0395692fa4181483ffb04eef4bda22cceee
SHA256 148d8f53bba9a8d5558b192fb4919a5b0d9cb7fd9f8e481660f8667de4e89b66
SHA512 a2da2558c44e80973badc2e5f283cec254a12dfbcc66c352c8f394e03b1e50f98551303eab6f7995ac4afd5a503bd29b690d778b0526233efc781695ed9e9172

memory/2252-119-0x0000000003AC0000-0x0000000003AEC000-memory.dmp

memory/2252-113-0x00000000035E0000-0x0000000003633000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{92B94569-6683-4617-8C54-EB27A1B51B30}\_IsRes.dll

MD5 48ea604d4fa7d9af5b121c04db6a2fec
SHA1 dc3c04977106bc1fbf1776a6b27899d7b81fb937
SHA256 cbe8127704f36adcc6adbab60df55d1ff8fb7e600f1337fb9c4a59644ba7aa2b
SHA512 9206a1235ce6bd8ceda0ff80fc01842e9cbbeb16267b4a875a0f1e6ea202fd4cbd1a52f8a51bed35a2b38252eb2b2cd2426dc7d24b1ea715203cc0935d612707

C:\Users\Admin\AppData\Local\Temp\{92B94569-6683-4617-8C54-EB27A1B51B30}\setup.inx

MD5 f3c79c972c0efb3d3b24ac01b013af04
SHA1 856c12f6c90ed9be470c568df06bd086885ac464
SHA256 d3308c03573f3d0f9f857c2e7bbb5bca38a1012341005138870c9fdc30d82adf
SHA512 3c560749df1405c0374484f1a8473c6713dd12d9b5610648fede9e21d48892b4b4f9d33f70cd74edfa8ddaf17223f795b9a78002265561fd42cd76884b094b2a

C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\comnbtm\comNbtm.ipl

MD5 5c313e6b51d76195c0f717bfa48a3a64
SHA1 0205ead687dd54ff6bca4facfb017867c6bcba25
SHA256 5b40564f0e41e816dbfb78dfc6ab3d63206f2e0dd6bca48bc16ad80d24b0fc0a
SHA512 cfa5d5e7534575bd603f80251a58354398cb23d356ec1bac4f2733f5046f8c7c0612354bfee3af75e7183c0b64ed4da8fa12ec1faf0910e0a300389b5285e323

C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\comntop\comNtop.ipl

MD5 49cffb707d6086725fea02aa0becca61
SHA1 fc69da4751506a8e956273457f31efb5b77f112d
SHA256 dc4f41787d84508068f91c60edf0585b2d3333401c84d4b2bf2aea9c1e03d2c7
SHA512 f99770f0d60eabcf86e2218552d14eb72cb50a55c0ded25486c1af8db733aee7e6eba130aea15abe4147432f0a982db078293a2bfab9eb66769019cb3d493d9d

C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\comse\comSE.ipl

MD5 f8bf802c0d8ef94fd0debea7d2c5b062
SHA1 fe0583bfbbc6942e736d3404ca756ef9ad99e1cd
SHA256 89184f15ef8fcb78afdc8eb0cb2fe211f75373c8bf13ae8b6953b483a43d5e61
SHA512 129a923636472c0346df91bd25506f896ef99b7b827d9b19a649bdb261b00e8dac5acb1125494a0d3fc868d5adf3157186b200884d57a68aa2ce85c775313b47

C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\comsw\comSW.ipl

MD5 58436be13920cd4827699de686e05b0e
SHA1 8e98e21316f238812a77950adb9bd949c024282b
SHA256 ecdb2c8b3160711546da881f3ee87990426f67c3acb3548c2fa51b48b3b441bb
SHA512 3bcaacf155d379a1f38e8b1eef0df14984e52387064d3118a065e780031e3f6c63857a6556db9d974193e583a9067aff81f53a072c4e37be4111078c39bc1e25

C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\industse\industSE.ipl

MD5 87a427e81c81c223e20a82906aff91cf
SHA1 1ae310730144f9b47ab65c2dffc0a0be53206e11
SHA256 7c012c51317d7e1305fe8bb24c62075af816ef3f6c9a9beb58d46f6e855c2ba8
SHA512 48942ea58f232882be6ede1765be55b4530a58a8734b379de9856a2876d3d5a1fafbe8673a1a231db11689f071978a913025f888aa0e6e71d47be849e7608b58

C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\industsw\industSW.ipl

MD5 756d445299812e430fa77faf8695a436
SHA1 20eeac1bc4df940363100a1f68fd57e997cf9146
SHA256 cac6c6117a6bb73654d42643b9e81ae89278ce82dca52acd626565229e8bbbd1
SHA512 2bb45dd91b444768db4a3814f5f46dd9be8aecfc6c419af225b288d5266db2da0cc9dde3e577586d3c03a5dfe7ab73f695de0aa4ae514de69d390d512a4d4423

C:\Program Files (x86)\Rockstar Games\GTAIII\data\maps\landne\landne.ipl

MD5 90e76aa9ea1d6de6c74e9cfa2276bc0a
SHA1 9a5c05ceb612f031429e561829d44c3167f96ded
SHA256 8e5479895047d275869f47235ba217237a09dab7cdc5c4de949ec25238472767
SHA512 bcaa779df8a38798eb639472f47ce32986762ffe7d5f294a5ba66612970b629ce5463d2446785a5f1a4cbb6d99d3d5e6a97ccb02e8270a70ca80a1affeccff8b

C:\Program Files (x86)\Rockstar Games\GTAIII\models\Generic\player.bmp

MD5 a5b4affb8b9ebff7f920cc072d91d3b1
SHA1 3b34ec9bcfa615e82b4298e55189cd063676bb52
SHA256 94d230e38345c5a4e7ac654f3f934c4863f8ac0a9835922e9abc4626146b712a
SHA512 4ec06ad30f8eabc9e261220248d9150a8edb514f2473539d46991b068e7338852d5917658537a2b1d8d829a84c3b72d2084fca2fe9a96bef0371242119f211a4

C:\Program Files (x86)\Rockstar Games\GTAIII\movies\GTAtitlesGER.mpg

MD5 202a663fea111c8a5bd18e2310c1f7c6
SHA1 76b86161f44379526a8826b5722b9b869c91594a
SHA256 d085d75b268d35092d72ddf92d949c19d25d448bae73f24d8f63f19576e80e43
SHA512 2d4d9103a5083d1057a6b94363d1356773a52fe0cbd87190c8fcbadbd638feb50650df800c3fe321dd47abbb69114f4a38e75c051f81e5ad1c6e75b60932c102

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-10 01:18

Reported

2024-11-10 01:32

Platform

win11-20241007-en

Max time kernel

441s

Max time network

448s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\data1.hdr

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\data1.hdr

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-10 01:18

Reported

2024-11-10 01:32

Platform

win11-20241007-en

Max time kernel

421s

Max time network

440s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\00000001.tmp

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\00000001.tmp

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-10 01:18

Reported

2024-11-10 01:32

Platform

win11-20241007-en

Max time kernel

438s

Max time network

444s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\00000407.016

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\00000407.016

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-10 01:18

Reported

2024-11-10 01:32

Platform

win11-20241007-en

Max time kernel

429s

Max time network

490s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\drvmgt.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4848 wrote to memory of 3048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4848 wrote to memory of 3048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4848 wrote to memory of 3048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\drvmgt.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\drvmgt.dll,#1

Network

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-11-10 01:18

Reported

2024-11-10 01:32

Platform

win11-20241007-en

Max time kernel

423s

Max time network

455s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\setup.inx

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\setup.inx

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A