Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
gta_sa.exe

Overview

General Information

Sample name:gta_sa.exe
Analysis ID:1559582
MD5:e7697a085336f974a4a6102a51223960
SHA1:0df50d56ef9e304c8d59366afa9aa5c71159261d
SHA256:8c609f108ad737deffbd0d17c702f5974d290c4379de742277b809f80350da1c
Tags:exegtasanandreassinvirususer-tuinsi

Detection

Score:23
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

PE file has a writeable .text section
Creates a DirectInput object (often for capturing keystrokes)
Entry point lies outside standard sections
PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

  • System is w10x64
  • gta_sa.exe (PID: 2504 cmdline: "C:\Users\user\Desktop\gta_sa.exe" MD5: E7697A085336F974A4A6102A51223960)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results
Source: gta_sa.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Binary string: x:\SA_PC_SRC (pcv110 - final)\gta_source\MSVC PC files\D3D9 Final\gta_sa.pdbWINMM.dll source: gta_sa.exe
Source: Binary string: x:\SA_PC_SRC (pcv110 - final)\gta_source\MSVC PC files\D3D9 Final\gta_sa.pdb source: gta_sa.exe
Source: gta_sa.exeString found in binary or memory: http://www.rockstargames.com
Source: gta_sa.exeString found in binary or memory: http://www.rockstargames.com/sanandreas
Source: gta_sa.exeString found in binary or memory: http://www.rockstarnorth.com
Source: gta_sa.exe, 00000000.00000000.1705095651.0000000000858000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: Please check you have installed Direct X 9 correctly : Couldn't DirectDrawCreateExmemstr_68087084-d

System Summary

barindex
Source: gta_sa.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: gta_sa.exeStatic PE information: Number of sections : 11 > 10
Source: gta_sa.exe, 00000000.00000000.1705376592.0000000001480000.00000080.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesony_ssm.sysD vs gta_sa.exe
Source: gta_sa.exe, 00000000.00000000.1705376592.0000000001480000.00000080.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename vs gta_sa.exe
Source: gta_sa.exe, 00000000.00000000.1705376592.0000000001480000.00000080.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesony_ssm.vxd?+LegalCopyrightCopyright (C) 2004/05 Sony DADC Austria AG vs gta_sa.exe
Source: gta_sa.exe, 00000000.00000000.1705376592.0000000001480000.00000080.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCmdLineExt.dll, vs gta_sa.exe
Source: gta_sa.exe, 00000000.00000000.1705376592.0000000001480000.00000080.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameUAService7.exeD vs gta_sa.exe
Source: gta_sa.exe, 00000000.00000002.2962479592.0000000001456000.00000080.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSecuExp.exeD vs gta_sa.exe
Source: gta_sa.exeBinary or memory string: OriginalFilenameSecuExp.exeD vs gta_sa.exe
Source: gta_sa.exeBinary or memory string: OriginalFilenamesony_ssm.sysD vs gta_sa.exe
Source: gta_sa.exeBinary or memory string: OriginalFilename vs gta_sa.exe
Source: gta_sa.exeBinary or memory string: OriginalFilenamesony_ssm.vxd?+LegalCopyrightCopyright (C) 2004/05 Sony DADC Austria AG vs gta_sa.exe
Source: gta_sa.exeBinary or memory string: OriginalFilenameCmdLineExt.dll, vs gta_sa.exe
Source: gta_sa.exeBinary or memory string: OriginalFilenameUAService7.exeD vs gta_sa.exe
Source: gta_sa.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: gta_sa.exeBinary string: @B\Device\sony_ssm.sys\DosDevices\sony_ssm.sys`
Source: classification engineClassification label: sus23.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\gta_sa.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: gta_sa.exeString found in binary or memory: %s -install to install the service
Source: gta_sa.exeString found in binary or memory: UserAccess7%s -install to install the service
Source: C:\Users\user\Desktop\gta_sa.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\gta_sa.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Users\user\Desktop\gta_sa.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\gta_sa.exeSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\Desktop\gta_sa.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\Desktop\gta_sa.exeSection loaded: acspecfc.dllJump to behavior
Source: C:\Users\user\Desktop\gta_sa.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\gta_sa.exeSection loaded: mscms.dllJump to behavior
Source: C:\Users\user\Desktop\gta_sa.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\gta_sa.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\gta_sa.exeSection loaded: ddraw.dllJump to behavior
Source: C:\Users\user\Desktop\gta_sa.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\gta_sa.exeSection loaded: msi.dllJump to behavior
Source: C:\Users\user\Desktop\gta_sa.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\gta_sa.exeSection loaded: coloradapterclient.dllJump to behavior
Source: C:\Users\user\Desktop\gta_sa.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\gta_sa.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\Desktop\gta_sa.exeSection loaded: dciman32.dllJump to behavior
Source: C:\Users\user\Desktop\gta_sa.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\gta_sa.exeSection loaded: vorbisfile.dllJump to behavior
Source: C:\Users\user\Desktop\gta_sa.exeSection loaded: eax.dllJump to behavior
Source: C:\Users\user\Desktop\gta_sa.exeSection loaded: version.dllJump to behavior
Source: gta_sa.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: gta_sa.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: gta_sa.exeStatic file information: File size 14405632 > 1048576
Source: gta_sa.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x456000
Source: gta_sa.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x64a000
Source: gta_sa.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x255000
Source: gta_sa.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: x:\SA_PC_SRC (pcv110 - final)\gta_source\MSVC PC files\D3D9 Final\gta_sa.pdbWINMM.dll source: gta_sa.exe
Source: Binary string: x:\SA_PC_SRC (pcv110 - final)\gta_source\MSVC PC files\D3D9 Final\gta_sa.pdb source: gta_sa.exe
Source: initial sampleStatic PE information: section where entry point is pointing to: .init
Source: gta_sa.exeStatic PE information: section name: _rwcseg
Source: gta_sa.exeStatic PE information: section name: _TEXT_HA
Source: gta_sa.exeStatic PE information: section name: _rwdseg
Source: gta_sa.exeStatic PE information: section name: .init
Source: gta_sa.exeStatic PE information: section name: .securom
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: gta_sa.exeBinary or memory string: 7HGfSV/(jH`qq
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
1
DLL Side-Loading
1
DLL Side-Loading
1
Input Capture
1
Security Software Discovery
Remote Services1
Input Capture
Data ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
System Information Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
gta_sa.exe0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://www.rockstarnorth.com0%Avira URL Cloudsafe
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://www.rockstargames.comgta_sa.exefalse
    high
    http://www.rockstarnorth.comgta_sa.exefalse
    • Avira URL Cloud: safe
    unknown
    http://www.rockstargames.com/sanandreasgta_sa.exefalse
      high
      No contacted IP infos
      Joe Sandbox version:41.0.0 Charoite
      Analysis ID:1559582
      Start date and time:2024-11-20 17:30:10 +01:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 4m 32s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:5
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:gta_sa.exe
      Detection:SUS
      Classification:sus23.winEXE@1/0@0/0
      EGA Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
      • Not all processes where analyzed, report is missing behavior information
      • VT rate limit hit for: gta_sa.exe
      No simulations
      No context
      No context
      No context
      No context
      No context
      No created / dropped files found
      File type:PE32 executable (GUI) Intel 80386, for MS Windows
      Entropy (8bit):7.428002861421193
      TrID:
      • Win32 Executable (generic) a (10002005/4) 98.68%
      • Windows ActiveX control (116523/4) 1.15%
      • DOS Executable Borland C++ (13009/5) 0.13%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      File name:gta_sa.exe
      File size:14'405'632 bytes
      MD5:e7697a085336f974a4a6102a51223960
      SHA1:0df50d56ef9e304c8d59366afa9aa5c71159261d
      SHA256:8c609f108ad737deffbd0d17c702f5974d290c4379de742277b809f80350da1c
      SHA512:2abc0796fa3f4e194c7714ea15e6fea0ce34adee467adfb6ad96d56470718f7ae7c11dbe38f91699bd933a29edf7b0cf62bcdcc742df58a2aeb2b518e5c90d41
      SSDEEP:393216:CDNnPxT4+Xkn6x9ayhgvdQ65jvA2mqQ+:Uni+io9uvdQgA9q
      TLSH:A9E612577600C097EA4330724806FC967791CE745F7796A37B8CBE2E29B2694D8372E2
      File Content Preview:MZ......................@...................................@...).x.e.@..D<.......h.}.................(.b.'......'H.&)...t..F..I.-a?"\....`..pD%M..VV-...gY1(.>k.3...{@8d=>..tY z......GX.x.......(.....j.h.................f..G0. .....:.........X.4.*.@...%..
      Icon Hash:8e87878e9c8caeb7
      Entrypoint:0x12ffe40
      Entrypoint Section:.init
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      DLL Characteristics:
      Time Stamp:0x4270F18A [Thu Apr 28 14:22:02 2005 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:c07fc76a0773659fb8c5e6b5013914ea
      Instruction
      push eax
      push ss
      pop ss
      pushfd
      mov eax, dword ptr [esp]
      test ah, 00000001h
      je 00007FB384F0FCE7h
      mov ecx, 000007BEh
      xor eax, eax
      je 00007FB384F0FCE3h
      call 00007FB39B415582h
      pop ss
      pushfd
      mov eax, dword ptr [esp]
      test ah, 00000001h
      je 00007FB384F0FCE7h
      mov ecx, 000007BEh
      xor eax, eax
      je 00007FB384F0FCE3h
      call 00007FB3088D5582h
      in al, dx
      and al, C7h
      inc esp
      and al, 20h
      ficomp word ptr [eax+44C7132Ch]
      and al, 1Ch
      pushfd
      add al, byte ptr [eax]
      add byte ptr [ecx-46E7DBB4h], cl
      adc dh, bh
      das
      add ecx, eax
      dec esp
      and al, 20h
      add byte ptr [ecx-74EBDBBCh], cl
      add dword ptr [eax+20244401h], edx
      nop
      add ecx, 04h
      lea esi, dword ptr [esi]
      dec word ptr [esp+1Ch]
      nop
      jne 00007FB384F0FCCDh
      or byte ptr [esp+20h], 00000001h
      mov ecx, dword ptr [esp+24h]
      mov eax, dword ptr [esp+20h]
      mov dword ptr [esp+20h], ecx
      xchg edi, edi
      mov ecx, dword ptr [esp+18h]
      mov dword ptr [esp+24h], eax
      mov eax, dword ptr [esp+14h]
      add esp, 20h
      nop
      popfd
      jnbe 00007FB384F0FCF3h
      add dword ptr [esp], 012ADEEAh
      add dword ptr [esp], 000510C3h
      jmp 00007FB384F0FCDCh
      push eax
      push ss
      pop ss
      pushfd
      mov eax, dword ptr [esp]
      test ah, 00000001h
      je 00007FB384F0FCE7h
      mov ecx, 000007BEh
      xor eax, eax
      je 00007FB384F0FCE3h
      call 00007FB39B415582h
      pop ss
      pushfd
      mov eax, dword ptr [esp]
      test ah, 00000001h
      je 00007FB384F0FCE7h
      mov ecx, 000000BEh
      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x1157e120xdc.securom
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x8b00000x520.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
      IMAGE_DIRECTORY_ENTRY_DEBUG0x11563680x1c.securom
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x115757a0x44c.securom
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x4a1ee00xa0.rdata
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x455cda0x456000759a86ec888aca835be83bebb36c1cc1unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      _rwcseg0x4570000x4510x10000c2f94cf9c1c85e37a8d1a6d9c1cd35bFalse0.28955078125data2.941959439091133IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .rdata0x4580000x4b29c0x4c000db7d4d54315fd5a8a7976f276eddfc9fFalse0.3458444695723684OpenPGP Public Key5.541613871037211IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .data0x4a40000x3f94340x400008995715a053ef41f4333bdf7d75bea65unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      _TEXT_HA0x89e0000x10a820x11000febc8925ffd3776de6530510bfa64292False0.5987333409926471data6.540908103945562IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      _rwdseg0x8af0000x80x1000620f0b67a91f7f74151bc5be745b7110False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .rsrc0x8b00000x5200x1000646afd3f5531f001cd9b81d0f834f78fFalse0.166259765625data1.5415565362664405IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .text0x8b10000x649b200x64a000f062b900278a4650741b3bb5d8d42279unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .init0xefb0000x58b00x6000cb55fba15addd8f19db1a0801a1a6435False0.3461100260416667data6.101240107284273IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .data0xf010000x2543c40x255000878547f1485a698402473d89664a5c14unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .securom0x11560000x210000x210007f9a63689422c0be83e02b065491d857False0.5552201704545454data6.467953452624957IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      NameRVASizeTypeLanguageCountryZLIB Complexity
      RT_ICON0x8b02200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512, 16 important colorsEnglishGreat Britain0.5443548387096774
      RT_DIALOG0x8b00f00x12edataEnglishGreat Britain0.6158940397350994
      RT_GROUP_ICON0x8b05080x14dataEnglishGreat Britain1.2
      DLLImport
      WINMM.dlltimeEndPeriod, timeGetTime, timeBeginPeriod, timeGetDevCaps
      vorbisfile.dllov_open_callbacks, ov_clear, ov_time_total, ov_time_tell, ov_read, ov_info, ov_time_seek
      WS2_32.dllrecv, send, closesocket, htons, inet_addr, connect, WSAGetLastError, WSAStartup, WSACleanup, socket
      EAX.DLL
      KERNEL32.dllVirtualProtect, GetOEMCP, GetACP, IsBadCodePtr, IsBadReadPtr, GetStringTypeW, GetStringTypeA, IsValidCodePage, IsValidLocale, EnumSystemLocalesA, GetLocaleInfoA, GetCPInfo, GetDateFormatA, VirtualQuery, GetTickCount, GetModuleHandleA, GetProcAddress, LoadLibraryA, GetFileSize, CloseHandle, LocalFree, WaitForSingleObjectEx, GetOverlappedResult, WaitForSingleObject, ReleaseSemaphore, SetFilePointer, GetLastError, ReadFile, SetLastError, CreateFileA, ResumeThread, SetThreadPriority, GetThreadPriority, GetCurrentThread, CreateThread, LocalAlloc, CreateSemaphoreA, GetDiskFreeSpaceA, Sleep, QueryPerformanceCounter, InterlockedIncrement, InterlockedDecrement, lstrcpyA, lstrcatA, lstrlenA, DeleteCriticalSection, SuspendThread, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, MultiByteToWideChar, DeleteFileA, TerminateThread, FindClose, FindNextFileA, GetFileAttributesA, FindFirstFileA, FreeLibrary, QueryPerformanceFrequency, OutputDebugStringA, GetLocalTime, CreateDirectoryA, GetUserDefaultLCID, SetStdHandle, CreateEventA, GetVolumeInformationA, GetDriveTypeA, GetLogicalDriveStringsA, SetErrorMode, GlobalMemoryStatus, GetVersionExA, GetCommandLineA, GetFullPathNameA, WideCharToMultiByte, lstrcmpiA, GetSystemInfo, IsProcessorFeaturePresent, LockResource, LoadResource, SizeofResource, FindResourceA, FindResourceW, MapViewOfFile, CreateFileMappingA, CreateFileW, UnmapViewOfFile, ReleaseMutex, CreateMutexA, GetCurrentProcessId, GetSystemDirectoryA, GetModuleFileNameA, FreeEnvironmentStringsA, UnhandledExceptionFilter, IsBadWritePtr, VirtualAlloc, VirtualFree, HeapCreate, HeapDestroy, GetFileType, GetStdHandle, SetHandleCount, FlushFileBuffers, LCMapStringW, LCMapStringA, WriteFile, FatalAppExitA, SetUnhandledExceptionFilter, HeapSize, TlsAlloc, TlsGetValue, TlsSetValue, GetCurrentThreadId, TlsFree, GetStartupInfoA, HeapReAlloc, HeapAlloc, HeapFree, GetSystemTimeAsFileTime, GetCurrentProcess, TerminateProcess, ExitProcess, RtlUnwind, RaiseException, InterlockedExchange, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetConsoleCtrlHandler, GetTimeFormatA, CompareStringA, CompareStringW, SetEnvironmentVariableA, GetTimeZoneInformation, SetEndOfFile, GetLocaleInfoW, GetCurrentDirectoryA, GetSystemDefaultLCID, SetCurrentDirectoryA, GetEnvironmentStrings, CompareFileTime, SetFileAttributesA, CopyFileA, WaitNamedPipeA, SetNamedPipeHandleState, GetShortPathNameA, FileTimeToSystemTime, GetWindowsDirectoryA, GetUserDefaultLangID, CreateProcessA, GetTempPathA, DeviceIoControl, FormatMessageA, GetLogicalDrives, SetPriorityClass, GetPriorityClass, QueryDosDeviceA, lstrcmpA
      USER32.dllwsprintfA, IsIconic, GetWindowLongA, GetMenu, AdjustWindowRectEx, SystemParametersInfoA, DestroyWindow, SetWindowLongA, ShowWindow, LoadIconA, LoadCursorA, RegisterClassA, ReleaseCapture, GetWindowPlacement, SetTimer, ClipCursor, PostQuitMessage, SetCursor, SetCapture, DefWindowProcA, MapVirtualKeyA, UpdateWindow, GetKeyState, FindWindowA, SetForegroundWindow, PeekMessageA, DispatchMessageA, TranslateMessage, GetKeyboardLayout, DialogBoxParamA, EndDialog, GetDlgItem, SetFocus, SendMessageA, SetWindowPos, AdjustWindowRect, CreateWindowExA, ShowCursor, GetWindowRect, MessageBoxA, SetWindowTextA, ClientToScreen, SetCursorPos, GetClientRect, SendDlgItemMessageA, GetWindowTextA, GetParent, GetClassNameA, FindWindowExA, EnumWindows, LoadCursorFromFileA, SetSystemCursor, LoadImageA, CopyImage, GetForegroundWindow, DialogBoxIndirectParamA
      GDI32.dllDeleteObject
      ADVAPI32.dllRegCloseKey, RegCreateKeyExA, RegOpenKeyExA, RegQueryValueExA, RegOpenKeyA, RegSetValueExA, OpenThreadToken, OpenProcessToken, GetTokenInformation, AllocateAndInitializeSid, EqualSid, RegEnumKeyExA, ControlService, QueryServiceStatus, OpenSCManagerA, CreateServiceA, OpenServiceA, StartServiceA, DeleteService, CloseServiceHandle, RegQueryValueA, RegFlushKey, RegDeleteValueA, RevertToSelf
      ole32.dllCoCreateInstance, CoInitialize, CoUninitialize
      VERSION.dllGetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueA
      Language of compilation systemCountry where language is spokenMap
      EnglishGreat Britain
      No network behavior found

      Click to jump to process

      Click to jump to process

      Target ID:0
      Start time:11:31:05
      Start date:20/11/2024
      Path:C:\Users\user\Desktop\gta_sa.exe
      Wow64 process (32bit):true
      Commandline:"C:\Users\user\Desktop\gta_sa.exe"
      Imagebase:0x400000
      File size:14'405'632 bytes
      MD5 hash:E7697A085336F974A4A6102A51223960
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low
      Has exited:false

      No disassembly