zgrat | hxxps://gofile[.]io/d/X7JzIb

Analysis

max time kernel
281s
max time network
283s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
28-04-2024 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/X7JzIb

Score

10^/10

zgrat rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\ms_updater.exe	family_zgrat_v1
behavioral1/memory/1696-352-0x0000000000880000-0x0000000000A86000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Drops startup file 3 IoCs

Processes:

taskmgr.exems_tool.exe

description	ioc	process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\system32.exe	taskmgr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32.exe	ms_tool.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32.exe	ms_tool.exe

Executes dropped EXE 7 IoCs

Processes:

winrar-x64-700.exewinrar-x64-700.exewinrar-x64-700.exeGTA 6 Builder-Install.exems_tool.exems_updater.exeGTA 6 Builder-Install.exe

pid	process
4236	winrar-x64-700.exe
2112	winrar-x64-700.exe
2532	winrar-x64-700.exe
4768	GTA 6 Builder-Install.exe
4360	ms_tool.exe
1696	ms_updater.exe
4752	GTA 6 Builder-Install.exe

Loads dropped DLL 1 IoCs

Processes:

taskmgr.exe

pid process

2708 taskmgr.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2708	taskmgr.exe

Drops file in Windows directory 3 IoCs

Processes:

7zFM.exetaskmgr.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	7zFM.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4580 4752 WerFault.exe GTA 6 Builder-Install.exe

pid	pid_target	process	target process
4580	4752	WerFault.exe	GTA 6 Builder-Install.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133587850154870423"	chrome.exe

Modifies registry class 3 IoCs

Processes:

chrome.exeOpenWith.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4148 NOTEPAD.EXE

pid	process
4148	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exetaskmgr.exe

pid	process
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
4996	chrome.exe
4996	chrome.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

Processes:

OpenWith.exe7zFM.exe7zFM.exetaskmgr.exe

pid process

3340 OpenWith.exe
4236 7zFM.exe
3340 7zFM.exe
2708 taskmgr.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

chrome.exe

pid process

3832 chrome.exe
3832 chrome.exe
3832 chrome.exe
3832 chrome.exe
3832 chrome.exe
3832 chrome.exe
3832 chrome.exe
3832 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe
2708	taskmgr.exe

Suspicious use of SetWindowsHookEx 31 IoCs

Processes:

OpenWith.exewinrar-x64-700.exewinrar-x64-700.exewinrar-x64-700.exeOpenWith.exe

pid	process
3340	OpenWith.exe
3340	OpenWith.exe
3340	OpenWith.exe
3340	OpenWith.exe
3340	OpenWith.exe
3340	OpenWith.exe
3340	OpenWith.exe
3340	OpenWith.exe
3340	OpenWith.exe
3340	OpenWith.exe
3340	OpenWith.exe
3340	OpenWith.exe
3340	OpenWith.exe
3340	OpenWith.exe
3340	OpenWith.exe
3340	OpenWith.exe
3340	OpenWith.exe
3340	OpenWith.exe
3340	OpenWith.exe
3340	OpenWith.exe
3340	OpenWith.exe
4236	winrar-x64-700.exe
4236	winrar-x64-700.exe
4236	winrar-x64-700.exe
2112	winrar-x64-700.exe
2112	winrar-x64-700.exe
2112	winrar-x64-700.exe
2532	winrar-x64-700.exe
2532	winrar-x64-700.exe
2532	winrar-x64-700.exe
4212	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3832 wrote to memory of 4560	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 4560	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3604	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2244	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2244	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 164	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 164	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 164	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 164	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 164	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 164	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 164	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 164	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 164	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 164	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 164	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 164	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 164	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 164	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 164	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 164	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 164	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 164	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 164	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 164	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 164	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 164	3832	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/X7JzIb
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff9941f9758,0x7ff9941f9768,0x7ff9941f9778
2⤵
PID:4560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1512 --field-trial-handle=1832,i,5429355649114326118,223066768251698312,131072 /prefetch:2
2⤵
PID:3604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1784 --field-trial-handle=1832,i,5429355649114326118,223066768251698312,131072 /prefetch:8
2⤵
PID:2244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2060 --field-trial-handle=1832,i,5429355649114326118,223066768251698312,131072 /prefetch:8
2⤵
PID:164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2812 --field-trial-handle=1832,i,5429355649114326118,223066768251698312,131072 /prefetch:1
2⤵
PID:5088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2820 --field-trial-handle=1832,i,5429355649114326118,223066768251698312,131072 /prefetch:1
2⤵
PID:2164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4360 --field-trial-handle=1832,i,5429355649114326118,223066768251698312,131072 /prefetch:1
2⤵
PID:2816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3028 --field-trial-handle=1832,i,5429355649114326118,223066768251698312,131072 /prefetch:8
2⤵
PID:1832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3552 --field-trial-handle=1832,i,5429355649114326118,223066768251698312,131072 /prefetch:8
2⤵
PID:4988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4816 --field-trial-handle=1832,i,5429355649114326118,223066768251698312,131072 /prefetch:1
2⤵
PID:3488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4372 --field-trial-handle=1832,i,5429355649114326118,223066768251698312,131072 /prefetch:8
2⤵
PID:4212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5300 --field-trial-handle=1832,i,5429355649114326118,223066768251698312,131072 /prefetch:1
2⤵
PID:5076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5592 --field-trial-handle=1832,i,5429355649114326118,223066768251698312,131072 /prefetch:1
2⤵
PID:3836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5632 --field-trial-handle=1832,i,5429355649114326118,223066768251698312,131072 /prefetch:8
2⤵
PID:828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5868 --field-trial-handle=1832,i,5429355649114326118,223066768251698312,131072 /prefetch:8
2⤵
PID:4276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5860 --field-trial-handle=1832,i,5429355649114326118,223066768251698312,131072 /prefetch:1
2⤵
PID:2068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5896 --field-trial-handle=1832,i,5429355649114326118,223066768251698312,131072 /prefetch:1
2⤵
PID:2236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3160 --field-trial-handle=1832,i,5429355649114326118,223066768251698312,131072 /prefetch:8
2⤵
PID:2808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4980 --field-trial-handle=1832,i,5429355649114326118,223066768251698312,131072 /prefetch:8
2⤵
PID:3720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3052 --field-trial-handle=1832,i,5429355649114326118,223066768251698312,131072 /prefetch:8
2⤵
PID:4272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2248 --field-trial-handle=1832,i,5429355649114326118,223066768251698312,131072 /prefetch:8
2⤵
PID:812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3768 --field-trial-handle=1832,i,5429355649114326118,223066768251698312,131072 /prefetch:8
2⤵
PID:2444

C:\Users\Admin\Downloads\winrar-x64-700.exe
"C:\Users\Admin\Downloads\winrar-x64-700.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 --field-trial-handle=1832,i,5429355649114326118,223066768251698312,131072 /prefetch:8
2⤵
PID:4112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5572 --field-trial-handle=1832,i,5429355649114326118,223066768251698312,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4996

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4648

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3340

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\0a77d279c92b4506a8caa4b823a5cec5 /t 5052 /p 4236
1⤵
PID:4508

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3632

C:\Users\Admin\Downloads\winrar-x64-700.exe
"C:\Users\Admin\Downloads\winrar-x64-700.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2112

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\a16ab2f213dd44f582e03d704d0a029b /t 2732 /p 2112
1⤵
PID:4588

C:\Users\Admin\Downloads\winrar-x64-700.exe
"C:\Users\Admin\Downloads\winrar-x64-700.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2532

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops startup file
- Loads dropped DLL
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2708

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
PID:4236

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\GTA 6 Builder-Install.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3340

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap784:104:7zEvent23559
1⤵
PID:2732

C:\Users\Admin\Downloads\GTA 6 Builder-Install.exe
"C:\Users\Admin\Downloads\GTA 6 Builder-Install.exe"
1⤵
- Executes dropped EXE
PID:4768

C:\Users\Admin\AppData\Roaming\ms_tool.exe
"C:\Users\Admin\AppData\Roaming\ms_tool.exe"
2⤵
- Drops startup file
- Executes dropped EXE
PID:4360

C:\Users\Admin\AppData\Roaming\ms_updater.exe
"C:\Users\Admin\AppData\Roaming\ms_updater.exe"
2⤵
- Executes dropped EXE
PID:1696

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4212

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4148

C:\Users\Admin\Downloads\GTA 6 Builder-Install.exe
"C:\Users\Admin\Downloads\GTA 6 Builder-Install.exe"
1⤵
- Executes dropped EXE
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 452
2⤵
- Program crash
PID:4580

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\42f80f86-256e-4a69-b7a1-30f8545dc7c4.tmp
Filesize
5KB

MD5
e69d21d2cb114e02339d16258c22f529

SHA1
e3c12bed3cd28fdeff6de4a04c18a39067a1cb73

SHA256
914ae2b9f55d41cb486853b2c4e301d2bc49811b82c0b7a906430c3685b91093

SHA512
5751715a8df9372bac8fe6c9577810231e66dae545d52ff3d0284f2c86a7daa5064751c1ba2d467b6694cc3a8fad11b8757d3201ce3a5bdb41a945044dba5c95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index
Filesize
624B

MD5
a77599a0241171b943b703fd46162765

SHA1
c04f6d8afed86e5b9566e2f86c3441e1211c4dd2

SHA256
09255cef056649123108d59cf30a35ba7e0a3acd76181413ec5260f441459101

SHA512
38138554b0d5c1d56552a66ee1e8f690d37b406c783b93382e4d0939756db8758ac1200c7f7768e50a29b5a9d89bf0f4f3fc915707934f4be0226268f260822c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
288B

MD5
4262f2c5df9a36251940d5e0e7f990d7

SHA1
c630eb0858fc2516d1cea276d40de7ed9fda770a

SHA256
9a52abc19a093b2f85d22b62b655d3714b43052af8220d8e98e1a660dea05099

SHA512
121fe1e216158a738eb4e7e2fa99871d57cd3137b3b3489d06673057712f7f32087c99df2ebc1c71d8ac494ed2c95fdbfb53be58fabb306c2b79ace0ebfc2d51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Filesize
20KB

MD5
b854b34885884e8693a6ef9a3eddb674

SHA1
6a91095accbf42737616a338604164d8d4627a00

SHA256
c6475981065caf4dcbf815c7ce784841ec24a66d34b3376b29bef0599e9a56bf

SHA512
4f7894f4ee923a61699bf4a51948c3a6de151ab0f7476b7e8cc96e933f24ec676da7fb287d89b7e37aa991514064c8af95cc1b561a94365ad795f35bda7120a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
95d92844bbd0a959c729a7173fe027c3

SHA1
4f718c0e0a7748e1c5cdf57a06036e1748773988

SHA256
0e64c46840fabb5117f127e8ddd0e09cb52201603357d5fcb81100a648af7abd

SHA512
0a0608c99f03966dcfaae761e7cbe9a398f85022fc6846933f1d695d8c3cb75748a76d8c594d7c430bfcf36ce4da498de98b5586a413018a022618d4d533d687

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
0ee787c6dd3199d7b30c3052bbff1b84

SHA1
8755fc0732f0cc03a1938ed8083396249635e1ee

SHA256
6632fc5be12e2378834a2450c199cff32c2336acb60655d67a54e0c4096f6b80

SHA512
5d37e87ac64849269ea12e2a92c4eaf878cc49dd5f95d8975d064991586cd248a432464202a4837cb08fcfa93edcdc2051e1456e493e9f1ff1a560f0144ea1e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
496d0b06bf5684afcfdc5cbc122173a8

SHA1
9ee3162e2371bd0d50e61f1e31e26b402a3200e3

SHA256
8e744522127de7b35aa372021835b57d344736c7d3978885c068c68849159db9

SHA512
eb5e293ae6940692732fe1208de08b7a6976adbd2689c746908f678aa58ad28f07d2d1925f9cb02cda7b621140605741d94cbc531ff09a4e496d1ea6eab8f59e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
870B

MD5
935ce8ba59aa945481d86798884493da

SHA1
a5dd235f7efc413666c65fcc7cbda7d9b2a5bb40

SHA256
5b1d2fcfd0998e652e115170a807c94fee54280c57469b248afa7c0dd264fe89

SHA512
bb929297d639081c034561ff9f15c0cdb48ee968081a29a5179db02073b1626b1be84e5cc95d444348971a8b00ffbf754995ef0a2e05a23501206e8b7b062b65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
703B

MD5
b9b4cebd61c5f2f386c8d619be105dec

SHA1
adec22455ca3600934d24d88054b7918e1250ce9

SHA256
a15d3af060bccc09498c062888130e4e42c4cd88ccc646b69829db270861b385

SHA512
7f33178030dc10b5daa00f5374651fdb0002ec7f7d4d7abbf4d19d181ff7496ec3a5abcb3c31ca4bcfb5cdcd9da8631bf6e7cb417a2fb782a3467d9d72194cec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
701B

MD5
4089d4d8ef50ee6dc154a16cbce3c69e

SHA1
f97a88671944dec4427c21abd21a0f66d23f4b9f

SHA256
43d15d3a295f9d620ad2aa77a8e7a689821e065b1cfcc99d7f1ddfe89996f932

SHA512
3db30209b47ce2a885be55646c84e9ff2fa33bf667e57286145e8e4a83a969182ecc5dd85985cf9ebf0b1ea4b98bd73cc33cb839de3a727184344c209b662e37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
870B

MD5
8e773483480cea5578fc4f1b791f0a57

SHA1
ab92fc6fe2a0cb73520605e27dd680522425e055

SHA256
b4d824ecd5e04d5a4a1c9b9d415e104564f61531190df6859a0bb5b466c28afb

SHA512
4b9d565e74c5441858c0e889413af62fba917a1df1e9d1a98e98b24d1a4db9d2fc1a0edef34274bb76ce0360d8bad2e143d8504701e0d2d32ed9710e67a1fdaa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
c95bee87300c702fb703347980b92e28

SHA1
490155d1906dbab1820351427540abcc6c4ddcd9

SHA256
6ba330cc5f8576f36509c19d904cc0c6e66fcd2ea324bc6c9326988a1789784e

SHA512
8b5b97dcbd48a73384d4512d678d48b747d4695130daa227d3edcaa4228afac47c39006d1c71a11fd8c6e986d49f0e7a18b1b6a9c9189d26f282fd6a95eb9843

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
fe0cb0c415a9b7aba9beb75934b32c71

SHA1
3f52ce48b4512b5e41d616c6195e578cb219de58

SHA256
a62dcef7de6148c0af4abae9d8e23bd67e91efcfd678335f13d9edd5f30d2433

SHA512
768a04d8e6da90943b0b76823a9709061f88851f2f650864f4b9286506a33eb0376f9afa10e04976c22c9c9ba072e664e31473ad87b944397c896602ba94af66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
3d6a5b206774cd6ff3bdc0d5230384fc

SHA1
50209a0d1b7b620f01899f5dbab5e6befdcc1593

SHA256
a1d869c678da0d27d2abd4953304f6bc162378812a9ddc3ac1d7ac56d192ffcf

SHA512
a17a186d01240ddc355d0670e3a233a0edf69dde1d0dfbec5af62931927a05f82138edd645f2123530d777d6261f066140ed1c3b7cdbcbfc3a2de16642e0a399

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
627e3ee606e7c94c7cee900afd16df5e

SHA1
13193399ec88a0cf7e842960c2478cce82323b96

SHA256
844d56eeb05b2538adee4a1c49159f2b32a84c97808a8cfa01c9e9cc34c74c50

SHA512
b6056b7a67359076ea729326b4a39b34d9e054059d72a9e9cbc0d6ce4262155e4f1cd196a19ff5b3299313863a5014d86233eb03959aeb765d451aa4ddb97a85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data
Filesize
92KB

MD5
758a1f2c990109458be2ddb1e1c7a56a

SHA1
9d6c7ac0c1134fe7416de9b1a87a86e7ff542fc0

SHA256
2365b5f35219e9c623db519df8802110e33030ef9502a3dc92b806c53898386a

SHA512
14a957c998b8d06d845e633e0eb12d32d9a3f8b075c574efbbbcbbc01e2d50742e311f1d0f53f67ca6961451f36e088cbe17953c2be3626a32f40764c5d08a55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
136KB

MD5
d535882e287c26e62fe9b43e250f9d39

SHA1
8ac07acd5000158e33332b9f44150c9afd6eb95d

SHA256
d48838dc4df69b5243b02ae90db3785c18d83c151e0247a769222bf218d1a594

SHA512
0bc7f29a9295040a790e667872ccefea59e00c614ab450cbf5eb1eaae51548e1d4832ca60d35d92dd70fd8f38e0be9bdbbec7da92ed1e155c539ef6da9d49e15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
136KB

MD5
af2582b73d5588d362b19c63833b5c5e

SHA1
d7eb0bf2b29553ec14e041352574a90ac9c37956

SHA256
c9e6f63a75645df207157c8eeed1f61d8fb0f1e1c88f823b299d304aa67d00c0

SHA512
9bebee7a3a06b9c319e9f3e159f07564c34b7bcce395085d95f2fdde1b8724fa9e98c3527e8835a62beec40acbff6174af04ee128a2bd5c243c9b7d396943477

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
107KB

MD5
446c5c4db8645c38c926fcea533fdbd7

SHA1
805878c597d4ccd1bc5410d91449938e40286e43

SHA256
c7ac8cb2bc036d19f846618d4aecb97b7f8341fb7e7fe4c4ad5c74b5df005db3

SHA512
64b4a91dce1b2f632dd8ad1506dd49b2811be074d8c26a807f0d08edea45579afb135786ab7b87e8405e2023c3fbd6f3e5c1a4d2c3af672f3624778e55bca4fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5859f2.TMP
Filesize
104KB

MD5
51e7e4206e97b493394245be534e1485

SHA1
91a0f2b73dd9e3f2f57a03c6e1aa5fb404ce0f02

SHA256
3c145b623fa82d28882915346eddb1f7593c3b49147409b9c0f5bab7eac31494

SHA512
f0b2bd3b3ad4795d55548201b42208676c54e30db09caa3f66f89c992f65bfbf616169af451b130e281406dc2bca9128aff0f29cb9918c3d09712c56517d8ce2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
28KB

MD5
fa93db9becf5c2272c16fff3d0cb6db7

SHA1
388ac6892267f8f811b19166ee5fbd6106016c98

SHA256
08864b76fc104402b0b2f795e7efa9997fef2a625a7b5fa40bf5dc18a07beff5

SHA512
43c464a8924e44b4e55dbad306cfb9fbaede71aa8b908674fd2220eb2e99e42681f44fb045c949802453649a15038fd63d559a04703523b2debcb05552b7acca

Download Submit
C:\Users\Admin\AppData\Roaming\ms_tool.exe
Filesize
11KB

MD5
f8701952b62a7e52652271a20b824128

SHA1
82292b1cd54afa277116b42f4b1c43c8933478f0

SHA256
5b0b886143ffe9f5c5750c9b171656783668b655e559ea95d002a265586e3413

SHA512
5acde46db767cf11ea5183007542fd67e1512ccfbcc37efdec685e2db369840a767981b0996dbace0f40602ada0a5c0aed39019ce06590151cd59f0dfa5d68e5

Download Submit
C:\Users\Admin\AppData\Roaming\ms_updater.exe
Filesize
2.0MB

MD5
31e5e3ac5a03d60d67188b6b0c3d152b

SHA1
41e831bc8b0c314a46d17492ded7b6b587d66db2

SHA256
dc73ce51066fdcd5f0c7c88fd6fdfb9a4a3722ebe3d2def1dc593fbc1af9e467

SHA512
64837c66af3f63c214ff8f466266f3dea1cf135d54ccaaf5c06fa13763045d79220f88d09ca49a36668d7e1f506bc74c9a2b8de0ec77aac272b0e1466aa168c2

Download Submit
C:\Users\Admin\Downloads\GTA 6 Builder-Install.exe
Filesize
13.1MB

MD5
95f7a7d1658b372cbcbd6cc1ef91bef9

SHA1
180182eef4ac2baaa0d773aeb59aec022a3d34cc

SHA256
841d63d65e18b16579ff539e49ea437ef27c488d52d463b0105cdd4b19d2ea37

SHA512
26bc67b7665bb2423e765249caf7ab7a0634af699335568d5b19732a149560d9b77bc586477c12bacc66cf382a1e80b9846e6fe05d9e9315e66f88e438d4c095

Download Submit
C:\Users\Admin\Downloads\GTA 6 Builder-Install.rar
Filesize
15.0MB

MD5
9de6427096abb3204c53588d686df646

SHA1
42c3c886b08442120029fad062f17c51268acce3

SHA256
8a464dc6c1c036ff976af16c85f712538e324c307ccacb0d3fb219f2c5663a47

SHA512
71d1b04e98785f2401554576843971f6f066a3b4e16530564b320a3116ae6313bf03e6cea11494bab1f1948785b9bc0d15153654adf34653805b92aeabdd097e

Download Submit
C:\Users\Admin\Downloads\README.txt
Filesize
20B

MD5
229bfb07694f123e2cb4986f47100a62

SHA1
c07256227a3878a9fcb029dfa2794b2003787cd5

SHA256
8df26b1f550c80646f01d25b8aafcabb1342bbb2be1cd335cdb8d254be8c4090

SHA512
e5d153f6a3de43124ba343fd95c01baa550ad485ae2078487e8669988fa034fccbc4420695d9006b6ce19340a9f43ede7eb6509437fb32d679beb571f2981b69

Download Submit
C:\Users\Admin\Downloads\winrar-x64-700.exe
Filesize
3.8MB

MD5
48deabfacb5c8e88b81c7165ed4e3b0b

SHA1
de3dab0e9258f9ff3c93ab6738818c6ec399e6a4

SHA256
ff309d1430fc97fccaa9cb82ddf3d23ce9afdf62dcf8c69512de40820df15e24

SHA512
d1d30f6267349bb23334f72376fe3384ac14d202bc8e12c16773231f5f4a3f02b76563f05b11d89d5ef6c05d4acaacc79f72f1d617ee6d1b6eddab2b866426af

Download Submit
\??\pipe\crashpad_3832_WAGSYSKUEUONULFW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1696-363-0x000000001B6F0000-0x000000001B702000-memory.dmp

Filesize
72KB

Download
memory/1696-354-0x0000000002BB0000-0x0000000002BCC000-memory.dmp

Filesize
112KB

Download
memory/1696-355-0x000000001B830000-0x000000001B880000-memory.dmp

Filesize
320KB

Download
memory/1696-357-0x000000001B6B0000-0x000000001B6C8000-memory.dmp

Filesize
96KB

Download
memory/1696-359-0x0000000001230000-0x000000000123E000-memory.dmp

Filesize
56KB

Download
memory/1696-361-0x0000000001240000-0x000000000124E000-memory.dmp

Filesize
56KB

Download
memory/1696-352-0x0000000000880000-0x0000000000A86000-memory.dmp

Filesize
2.0MB

Download
memory/1696-365-0x0000000001260000-0x000000000126C000-memory.dmp

Filesize
48KB

Download
memory/1696-367-0x000000001B6D0000-0x000000001B6DE000-memory.dmp

Filesize
56KB

Download
memory/1696-369-0x000000001B6E0000-0x000000001B6EC000-memory.dmp

Filesize
48KB

Download
memory/4360-348-0x000001EDCACA0000-0x000001EDCACA8000-memory.dmp

Filesize
32KB

Download
memory/4752-372-0x0000000001BA0000-0x0000000001BA1000-memory.dmp

Filesize
4KB

Download
memory/4752-373-0x00000000001F0000-0x000000000174A000-memory.dmp

Filesize
21.4MB

Download
memory/4768-336-0x00000000001F0000-0x000000000174A000-memory.dmp

Filesize
21.4MB

Download
memory/4768-335-0x0000000001C70000-0x0000000001C71000-memory.dmp

Filesize
4KB

Download