e7dc3d739ae6d011d8aac8f3c03b4b90fe38a8d77de0b87e278d81a007afeac6

Analysis

max time kernel
330s
max time network
331s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GTA 6 Builder-Install.zip
Size

14.9MB
MD5

873cd3e4b90f41840bfaf642df1f9796
SHA1

ad89931f6b5726aa9417ee72955c2e57b446bb0b
SHA256

e7dc3d739ae6d011d8aac8f3c03b4b90fe38a8d77de0b87e278d81a007afeac6
SHA512

a394bcf26d404fe080d0b9405edee5c3f99adc7c282767ede751c6720bf16b20281e1bbdbd644c89dd666dd88a77c3bdb75c7ddb7957beb38491983bd00812db
SSDEEP

393216:0/xkF3ZVcLYYcowQYKQV01C1aNczWZWzhsFJ5G2K8hlQ:0C1rY66OzHhs75JKQQ

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

GTA 6 Builder-Install.exeGTA 6 Builder-Install.exeGTA 6 Builder-Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GTA 6 Builder-Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GTA 6 Builder-Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GTA 6 Builder-Install.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GTA 6 Builder-Install.exeGTA 6 Builder-Install.exeGTA 6 Builder-Install.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GTA 6 Builder-Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GTA 6 Builder-Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GTA 6 Builder-Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GTA 6 Builder-Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GTA 6 Builder-Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GTA 6 Builder-Install.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ComHostSvc.exeComHostSvc.exeComHostSvc.exeGTA 6 Builder-Install.exeGTA 6 Builder-Install.exeComHostSvc.exeComHostSvc.exeComHostSvc.exeComHostSvc.exeGTA 6 Builder-Install.exeComHostSvc.exeComHostSvc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ComHostSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ComHostSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ComHostSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	GTA 6 Builder-Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	GTA 6 Builder-Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ComHostSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ComHostSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ComHostSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ComHostSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	GTA 6 Builder-Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ComHostSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ComHostSvc.exe

Drops startup file 2 IoCs

Processes:

Runtime64.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	Runtime64.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	Runtime64.exe

Executes dropped EXE 18 IoCs

Processes:

GTA 6 Builder-Install.exeComHostSvc.exeRuntime64.exeGTA 6 Builder-Install.exeComHostSvc.exeRuntime64.exeComHostSvc.exeComHostSvc.exeComHostSvc.exeComHostSvc.exeComHostSvc.exeComHostSvc.exeComHostSvc.exeComHostSvc.exeGTA 6 Builder-Install.exeComHostSvc.exeComHostSvc.exeRuntime64.exe

pid	process
1972	GTA 6 Builder-Install.exe
1608	ComHostSvc.exe
4636	Runtime64.exe
3864	GTA 6 Builder-Install.exe
1280	ComHostSvc.exe
3124	Runtime64.exe
1876	ComHostSvc.exe
4476	ComHostSvc.exe
3112	ComHostSvc.exe
516	ComHostSvc.exe
1180	ComHostSvc.exe
1756	ComHostSvc.exe
1996	ComHostSvc.exe
516	ComHostSvc.exe
2644	GTA 6 Builder-Install.exe
3564	ComHostSvc.exe
1080	ComHostSvc.exe
3828	Runtime64.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Documents\GTA 6 Builder-Install\GTA 6 Builder-Install.exe	themida
behavioral2/memory/1972-166-0x0000000000400000-0x0000000002094000-memory.dmp	themida
behavioral2/memory/1972-168-0x0000000000400000-0x0000000002094000-memory.dmp	themida
behavioral2/memory/1972-197-0x0000000000400000-0x0000000002094000-memory.dmp	themida
behavioral2/memory/3864-216-0x0000000000400000-0x0000000002094000-memory.dmp	themida
behavioral2/memory/3864-219-0x0000000000400000-0x0000000002094000-memory.dmp	themida
behavioral2/memory/2644-357-0x0000000000400000-0x0000000002094000-memory.dmp	themida
behavioral2/memory/2644-371-0x0000000000400000-0x0000000002094000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

GTA 6 Builder-Install.exeGTA 6 Builder-Install.exeGTA 6 Builder-Install.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GTA 6 Builder-Install.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GTA 6 Builder-Install.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GTA 6 Builder-Install.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

GTA 6 Builder-Install.exeGTA 6 Builder-Install.exeGTA 6 Builder-Install.exe

pid process

1972 GTA 6 Builder-Install.exe
3864 GTA 6 Builder-Install.exe
2644 GTA 6 Builder-Install.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133641914301333965"	chrome.exe

Modifies registry class 10 IoCs

Processes:

OpenWith.exeComHostSvc.exeComHostSvc.exeComHostSvc.exeComHostSvc.exeComHostSvc.exeComHostSvc.exeComHostSvc.exeComHostSvc.exeComHostSvc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	ComHostSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	ComHostSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	ComHostSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	ComHostSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	ComHostSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	ComHostSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	ComHostSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	ComHostSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	ComHostSvc.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

1416 PING.EXE
4116 PING.EXE
896 PING.EXE
4272 PING.EXE

pid	process
1416	PING.EXE
4116	PING.EXE
896	PING.EXE
4272	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exeComHostSvc.exe

pid	process
4372	chrome.exe
4372	chrome.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe
1608	ComHostSvc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

4780 OpenWith.exe
Suspicious behavior: LoadsDriver 10 IoCs

Processes:

pid

4
4
4
4
4
660
4
4
4
4
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

chrome.exe

pid process

4372 chrome.exe
4372 chrome.exe
4372 chrome.exe
4372 chrome.exe
4372 chrome.exe
4372 chrome.exe
4372 chrome.exe
4372 chrome.exe

pid
4
4
4
4
4
660
4
4
4
4

Suspicious use of AdjustPrivilegeToken 62 IoCs

Processes:

chrome.exe7zG.exeComHostSvc.exeComHostSvc.exeComHostSvc.exeComHostSvc.exeComHostSvc.exeComHostSvc.exeComHostSvc.exeComHostSvc.exeComHostSvc.exeComHostSvc.exeComHostSvc.exeComHostSvc.exe

description	pid	process
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeRestorePrivilege	1384	7zG.exe
Token: 35	1384	7zG.exe
Token: SeSecurityPrivilege	1384	7zG.exe
Token: SeSecurityPrivilege	1384	7zG.exe
Token: SeDebugPrivilege	1608	ComHostSvc.exe
Token: SeDebugPrivilege	1280	ComHostSvc.exe
Token: SeDebugPrivilege	1876	ComHostSvc.exe
Token: SeDebugPrivilege	4476	ComHostSvc.exe
Token: SeDebugPrivilege	3112	ComHostSvc.exe
Token: SeDebugPrivilege	516	ComHostSvc.exe
Token: SeDebugPrivilege	1180	ComHostSvc.exe
Token: SeDebugPrivilege	1756	ComHostSvc.exe
Token: SeDebugPrivilege	1996	ComHostSvc.exe
Token: SeDebugPrivilege	516	ComHostSvc.exe
Token: SeDebugPrivilege	3564	ComHostSvc.exe
Token: SeDebugPrivilege	1080	ComHostSvc.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

chrome.exe7zG.exe

pid	process
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
1384	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe

Suspicious use of SetWindowsHookEx 41 IoCs

Processes:

OpenWith.exe

pid	process
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe
4780	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4372 wrote to memory of 4144	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 4144	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 1108	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 1108	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 1108	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 1108	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 1108	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 1108	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 1108	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 1108	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 1108	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 1108	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 1108	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 1108	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 1108	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 1108	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 1108	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 1108	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 1108	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 1108	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 1108	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 1108	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 1108	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 1108	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 1108	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 1108	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 1108	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 1108	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 1108	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 1108	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 1108	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 1108	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 1108	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 1864	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 1864	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 816	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 816	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 816	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 816	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 816	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 816	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 816	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 816	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 816	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 816	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 816	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 816	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 816	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 816	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 816	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 816	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 816	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 816	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 816	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 816	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 816	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 816	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 816	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 816	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 816	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 816	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 816	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 816	4372	chrome.exe	chrome.exe
PID 4372 wrote to memory of 816	4372	chrome.exe	chrome.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\GTA 6 Builder-Install.zip"
1⤵
PID:2464

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1960

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa29d7ab58,0x7ffa29d7ab68,0x7ffa29d7ab78
2⤵
PID:4144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=2040,i,8683056395405752998,1978833190515494190,131072 /prefetch:2
2⤵
PID:1108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=2040,i,8683056395405752998,1978833190515494190,131072 /prefetch:8
2⤵
PID:1864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=2040,i,8683056395405752998,1978833190515494190,131072 /prefetch:8
2⤵
PID:816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3120 --field-trial-handle=2040,i,8683056395405752998,1978833190515494190,131072 /prefetch:1
2⤵
PID:1972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3132 --field-trial-handle=2040,i,8683056395405752998,1978833190515494190,131072 /prefetch:1
2⤵
PID:1944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3652 --field-trial-handle=2040,i,8683056395405752998,1978833190515494190,131072 /prefetch:1
2⤵
PID:3536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4492 --field-trial-handle=2040,i,8683056395405752998,1978833190515494190,131072 /prefetch:1
2⤵
PID:2904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 --field-trial-handle=2040,i,8683056395405752998,1978833190515494190,131072 /prefetch:8
2⤵
PID:4524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 --field-trial-handle=2040,i,8683056395405752998,1978833190515494190,131072 /prefetch:8
2⤵
PID:4348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4864 --field-trial-handle=2040,i,8683056395405752998,1978833190515494190,131072 /prefetch:1
2⤵
PID:1328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4792 --field-trial-handle=2040,i,8683056395405752998,1978833190515494190,131072 /prefetch:1
2⤵
PID:448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3528 --field-trial-handle=2040,i,8683056395405752998,1978833190515494190,131072 /prefetch:1
2⤵
PID:4776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3396 --field-trial-handle=2040,i,8683056395405752998,1978833190515494190,131072 /prefetch:1
2⤵
PID:4568

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1680

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Documents\GTA 6 Builder-Install\" -an -ai#7zMap17530:148:7zEvent3451
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1384

C:\Users\Admin\Documents\GTA 6 Builder-Install\GTA 6 Builder-Install.exe
"C:\Users\Admin\Documents\GTA 6 Builder-Install\GTA 6 Builder-Install.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1972

C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe
"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z7mSN2TF6L.bat"
3⤵
PID:3940

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:3268

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
4⤵
PID:1008

C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe
"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\21MOevrO8R.bat"
5⤵
PID:3464

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:4384

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:896

C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe
"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oyk3mdJSzu.bat"
7⤵
PID:1120

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:4972

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe
"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3112

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\inbPLpLC2K.bat"
9⤵
PID:2180

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:1644

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
10⤵
PID:1528

C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe
"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:516

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UKSgvR4Pjt.bat"
11⤵
PID:4316

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:4020

C:\Windows\system32\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:4272

C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe
"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ADRb0ZiLyY.bat"
13⤵
PID:1108

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:2676

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
14⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe
"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Hk8IJNqbTq.bat"
15⤵
PID:4088

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:1008

C:\Windows\system32\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:1416

C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe
"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q4KhmYWH96.bat"
17⤵
PID:5060

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:2896

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
18⤵
PID:4944

C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe
"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:516

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZAbXgo5nXx.bat"
19⤵
PID:4820

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:2408

C:\Windows\system32\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:4116

C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe
"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"
20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Users\Admin\AppData\Local\Temp\Runtime64.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime64.exe"
2⤵
- Drops startup file
- Executes dropped EXE
PID:4636

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\GTA 6 Builder-Install\README.txt
1⤵
PID:804

C:\Users\Admin\Documents\GTA 6 Builder-Install\GTA 6 Builder-Install.exe
"C:\Users\Admin\Documents\GTA 6 Builder-Install\GTA 6 Builder-Install.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3864

C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe
"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Users\Admin\AppData\Local\Temp\Runtime64.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime64.exe"
2⤵
- Executes dropped EXE
PID:3124

C:\Users\Admin\Documents\GTA 6 Builder-Install\GTA 6 Builder-Install.exe
"C:\Users\Admin\Documents\GTA 6 Builder-Install\GTA 6 Builder-Install.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2644

C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe
"C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Users\Admin\AppData\Local\Temp\Runtime64.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime64.exe"
2⤵
- Executes dropped EXE
PID:3828

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
811B

MD5
36559f0b28b2687b7befd01bb29cd40f

SHA1
4d05bb3786715689d42de941b2d24979986fae0b

SHA256
b133ad6460286bcfa201d37fba790026498f8d9d885560cc1d21d6612b4ab0e4

SHA512
cd759ab9c3d2355342af12e0e787ed4f8397343fdf1591c8742009de7fec79482e3c210d7b2af160ee847de567629bda23927b6faba68be2e38745e64a6d2c3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
fac21006753c30a34631b9e2e3a57434

SHA1
044d4735de6d1af349ac130590f3bdb79b916eeb

SHA256
e65aefc92aa6a2b14bdb5196c0a7b52ec1cbb34b53c701d86039f59a0179a822

SHA512
d9cc8ea70d0e4db5aaa34d6fd623d4c5be54a1a194a1d9c067da04bef8539200cd76ac64904e811f00e0b8309e1e56a93bb5b28c95d40c73f900e591fee92492

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
8f11521730f1d066a63e384762642a1f

SHA1
5ff30cc4796cbf083a4ab979d753653d865c6414

SHA256
60f87d76b159c72ab079a8f4782e6ada13d7ba3bc71f5dbae0f1b5c1ef270bce

SHA512
809643dd3c6e806cf7efa750c275079538debe46034c1404160c66004f423fdaa900ee9516fc7fa2f63258a70a48332c45e25b371d5b0786fa2a795311e7fbe5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
71a39aab71cd46daedb5eb2e793f6b36

SHA1
9274839715e6a115d57f46794714dd98adb3ea71

SHA256
c5335d62236d24410ac68e5f4166ea2e54e35e3d4afda469a787eef9cc84a5a3

SHA512
e5b9786ff3be4abbb4ea3a1acdc3c4d0081b3a4eec12832775fe6b17ce594a0b62bd5ee1afcb7359e453f3e6164577bc56634abe3b20465813cc48c3acf173a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
e79fddfc5f303b8e61fe422093149142

SHA1
9a725c6d7c5be373fb10d7656a283ce76f0537b0

SHA256
6c41ce20137d0db0ac80de235ba7df536f065e087dad74655013b5fe822d3a2b

SHA512
1c2e1ee8b1b322dd57717bb03270a2ec0fb0f4fc59482156e20a39ec5186233b1831736f0f3d2998c6020457de30f6c8f15d7a2539ab29d6e9cd80c6628e792a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
0b028badb943fb3b95c919c88f92bc90

SHA1
3e1e78cb37386e48df3928efde53fc5d0653f2f0

SHA256
d52c7b8427a2b27143f9ad0a84d7a13bbb7e771b75e48989326f1c24b4c8b933

SHA512
d53d45711acea460e8d1b4938596cf7e51e02e6779e011c60e92829b3e1b4a0c5cda6d46cd85bdc16e1f1802b7c105899899420dd72b5f85ed4db933cfca39e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ComHostSvc.exe.log
Filesize
1KB

MD5
9b88ec4146b97a654b26aa3134d72f7b

SHA1
0310fd2b3d9c4a2430884cb3b934944c1795c4f7

SHA256
da8f8d6a1502af37be9b19b9d83bafe15200d9dd2a6ed80513ac9e492b2bcb9d

SHA512
bdc298b59f5635f5f0d418ba0e278e64a6adc1632787cd18120d3038d70e2e39305f25a7aeb1c7c73711eb23a3aa4236430cc8ec379791cb4e265ea273c32e98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Runtime64.exe.log
Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\21MOevrO8R.bat
Filesize
176B

MD5
1c1d15fab21dbb401fd00dc400514153

SHA1
0788ec6ec951196bae1e8d672cc1e8d7e8ad608a

SHA256
68956ca77b6e5d45a9eae7158e9fc866b527a2b9aebaae4eb6452e29c3027f63

SHA512
c0239a85847825e0c8ac8ebdbf66a4fe76d4d7fe64e29588b91f569f921aba07a3d9ca749787e1da72a1da809804146bdbf9086a4d3f1a2cd307ce1bf244605e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADRb0ZiLyY.bat
Filesize
224B

MD5
92218fc2df9c9b780a6789fa37b1117d

SHA1
125b8a3935cbb621866b853ab799f7d26aac6fa3

SHA256
9a2fd0d3dd6db1a1f08670cf8d21410e79f0dcdbb40354bd08e78959a0d6041a

SHA512
55569b289dd896bf3edd3de41dedcceac42de83916119bfc522c455c7eaf5c3af6279966b1a177ef37615b43a0bc0b36dd491c9e55aa159bde2287005f36e4e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ComHostSvc.exe
Filesize
2.0MB

MD5
31e5e3ac5a03d60d67188b6b0c3d152b

SHA1
41e831bc8b0c314a46d17492ded7b6b587d66db2

SHA256
dc73ce51066fdcd5f0c7c88fd6fdfb9a4a3722ebe3d2def1dc593fbc1af9e467

SHA512
64837c66af3f63c214ff8f466266f3dea1cf135d54ccaaf5c06fa13763045d79220f88d09ca49a36668d7e1f506bc74c9a2b8de0ec77aac272b0e1466aa168c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hk8IJNqbTq.bat
Filesize
176B

MD5
1e09ecc87bed9dec0ea4bec35943ac94

SHA1
7ed8fa770383012ee69be1039cab47088445f30d

SHA256
b7a3c5f1ffd5cd637ad62bd835f441d6c053f7cda731f7386150cd825fefef0d

SHA512
b348fde4be657eae8decf26ed6e0bb5fcd876f1e7fdedb8484fa6a80c5ba07127fe255fdc95786ad164c58561f98838566bed2a76cd7c4eba7208c4d9db927ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q4KhmYWH96.bat
Filesize
224B

MD5
39cc72d41c9a85ce8439fdef417526f4

SHA1
a3216b46eb2050b35aa23d1fe8b5213e83219ccc

SHA256
3a42938b3f2e715c1c2072416ebdcc9f61f036e7a0a1386ba64737c5540d3bb2

SHA512
aa652629f2153f34526ded6f8dd4a038a1c4d016ec87760f20e5987d06d1e3c06cdaa12b51011cd319b796c61ca9a32b0a71594d70af0d43c1d250f37c06ce20

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime64.exe
Filesize
11KB

MD5
da23f44a96e6aa3a8b80f1cc40169dae

SHA1
9c5ff4215e46407da34524ce4f26841aa2c842c6

SHA256
2d86ab0d97a265aa7b465439ac97c0c6b428a3bdc18000625f3fd66c07ff6f70

SHA512
ccf6056c176a98e2f235f22667ea1497191a3cb373fc63632467de6255493c98fcb315d55a634cd0bb10e6087d832f46d0712fb3661dd3786bd9fe360981a035

Download Submit
C:\Users\Admin\AppData\Local\Temp\UKSgvR4Pjt.bat
Filesize
176B

MD5
817f206715324b93f8a93ffcb51b004e

SHA1
544bd1c57221f24f4eaf24affeeb55b8fc0051b0

SHA256
e3bfccddec2d52eb6b2cefe297b02afae4f360cdcdbcac1463e8c6a070092b91

SHA512
da50bec988b97d7a34a94c6080836f0766fae10a186d7acd10c4dad26b91e6b58cad1bfc04b5e45df39555aa4756a28156d1f5bfc0d6a6b5a0ff739859144c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAbXgo5nXx.bat
Filesize
176B

MD5
663375052fa5e6a85dfdac653376651f

SHA1
f14183db131fe3fc15185dee75ece722bc8e75db

SHA256
7410f44bc671bc9b00d0f3ee031d0783acaeefe561c96abf12420d9e61ca2a88

SHA512
b6b0bc2df3a358632a15744101c964a28fc7daa617d0595cabc5011b3e68b157b62d354e7559d3d04ef0d8087b977120ea873f10273fea21122805800731c3d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\inbPLpLC2K.bat
Filesize
224B

MD5
15bf15d638ed7febb3d2af9a992aa056

SHA1
969b79042071b83c87ed1ace007d2f6eed8e40e6

SHA256
9497a3e564222f702eecfe388c199f8a565297dbbc6ed6af1969886a5a09519e

SHA512
f24939bc76dc0d62e948589ba6a17a29b4fbe5ade826905e168e3e417a490b6982a0ef1ca1bfe5fb3986e158802ea334993701e142e02584c480358f94712422

Download Submit
C:\Users\Admin\AppData\Local\Temp\oyk3mdJSzu.bat
Filesize
224B

MD5
87b09d6e74317c45fbf8862729f3d12d

SHA1
b4adec67ba4138350a59e3ba49124aa7ed0e504b

SHA256
294d526a930b2df84ae430e4980cc9778a3a35631edeb8a6248a9172a583ee06

SHA512
6652dc52dc8d24134be965fcc94e1d1a3c59bbba7c319a0ccd2f21253761326a517096c0335ebfda92568f1e19ee423a267b974f416054fefea4c3b35325f29e

Download Submit
C:\Users\Admin\AppData\Local\Temp\z7mSN2TF6L.bat
Filesize
224B

MD5
a25e61cf3f7ba386e56cac98e7432674

SHA1
3417bfffa16ab19e0cd72b50631d10b0d6ec0d64

SHA256
197bfa2bdbf07daef34219141a1b59d249c576b8b70f6a4c63c525a2baa0af7f

SHA512
98ede162bda42168ce38005155af4d4d7a3390064a940a202b95dc396c59f59b24022e962ecd1778f09b921581a54f6f79d46295da4c6711a5ff8687543f7dfb

Download Submit
C:\Users\Admin\Documents\GTA 6 Builder-Install\GTA 6 Builder-Install.exe
Filesize
12.5MB

MD5
40e5acb9dd1dbc4606f5c01ab3ab36ff

SHA1
8ad852448dee822b7f375b6067581082d1330765

SHA256
f27c8d1507717e303a1cdb1e5bf81f376741b19df2102bbc4ed44ba9d6db8c3c

SHA512
65a0d785c63123c87caea0bac8e7e1eca80e10f1369645752594cc75b5c42cf46d1102e57e596421911b42f33571b639e4ecfdbc2e4b7d79a0a0e885bab35374

Download Submit
C:\Users\Admin\Documents\GTA 6 Builder-Install\README.txt
Filesize
20B

MD5
229bfb07694f123e2cb4986f47100a62

SHA1
c07256227a3878a9fcb029dfa2794b2003787cd5

SHA256
8df26b1f550c80646f01d25b8aafcabb1342bbb2be1cd335cdb8d254be8c4090

SHA512
e5d153f6a3de43124ba343fd95c01baa550ad485ae2078487e8669988fa034fccbc4420695d9006b6ce19340a9f43ede7eb6509437fb32d679beb571f2981b69

Download Submit
\??\pipe\crashpad_4372_QAEUODTWYOCGCWOZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/516-290-0x000000001B810000-0x000000001B818000-memory.dmp

Filesize
32KB

Download
memory/516-354-0x000000001BF30000-0x000000001BF38000-memory.dmp

Filesize
32KB

Download
memory/516-349-0x000000001BF30000-0x000000001BF38000-memory.dmp

Filesize
32KB

Download
memory/516-285-0x000000001B810000-0x000000001B818000-memory.dmp

Filesize
32KB

Download
memory/1180-306-0x00000000030B0000-0x00000000030B8000-memory.dmp

Filesize
32KB

Download
memory/1180-301-0x00000000030B0000-0x00000000030B8000-memory.dmp

Filesize
32KB

Download
memory/1608-212-0x000000001B830000-0x000000001B83E000-memory.dmp

Filesize
56KB

Download
memory/1608-204-0x0000000002890000-0x000000000289E000-memory.dmp

Filesize
56KB

Download
memory/1608-208-0x000000001B840000-0x000000001B852000-memory.dmp

Filesize
72KB

Download
memory/1608-227-0x000000001BAE0000-0x000000001BAE8000-memory.dmp

Filesize
32KB

Download
memory/1608-196-0x00000000005A0000-0x00000000007A6000-memory.dmp

Filesize
2.0MB

Download
memory/1608-206-0x00000000028C0000-0x00000000028CE000-memory.dmp

Filesize
56KB

Download
memory/1608-214-0x000000001B860000-0x000000001B86C000-memory.dmp

Filesize
48KB

Download
memory/1608-210-0x000000001B820000-0x000000001B82C000-memory.dmp

Filesize
48KB

Download
memory/1608-199-0x00000000028A0000-0x00000000028BC000-memory.dmp

Filesize
112KB

Download
memory/1608-202-0x000000001B2B0000-0x000000001B2C8000-memory.dmp

Filesize
96KB

Download
memory/1608-221-0x000000001BAE0000-0x000000001BAE8000-memory.dmp

Filesize
32KB

Download
memory/1608-200-0x000000001B870000-0x000000001B8C0000-memory.dmp

Filesize
320KB

Download
memory/1756-317-0x000000001AF40000-0x000000001AF48000-memory.dmp

Filesize
32KB

Download
memory/1756-322-0x000000001AF40000-0x000000001AF48000-memory.dmp

Filesize
32KB

Download
memory/1876-239-0x000000001BB30000-0x000000001BB38000-memory.dmp

Filesize
32KB

Download
memory/1876-244-0x000000001BB30000-0x000000001BB38000-memory.dmp

Filesize
32KB

Download
memory/1972-168-0x0000000000400000-0x0000000002094000-memory.dmp

Filesize
28.6MB

Download
memory/1972-197-0x0000000000400000-0x0000000002094000-memory.dmp

Filesize
28.6MB

Download
memory/1972-166-0x0000000000400000-0x0000000002094000-memory.dmp

Filesize
28.6MB

Download
memory/1996-333-0x000000001B560000-0x000000001B568000-memory.dmp

Filesize
32KB

Download
memory/1996-338-0x000000001B560000-0x000000001B568000-memory.dmp

Filesize
32KB

Download
memory/2644-357-0x0000000000400000-0x0000000002094000-memory.dmp

Filesize
28.6MB

Download
memory/2644-371-0x0000000000400000-0x0000000002094000-memory.dmp

Filesize
28.6MB

Download
memory/3112-274-0x000000001B0B0000-0x000000001B0B8000-memory.dmp

Filesize
32KB

Download
memory/3864-219-0x0000000000400000-0x0000000002094000-memory.dmp

Filesize
28.6MB

Download
memory/3864-216-0x0000000000400000-0x0000000002094000-memory.dmp

Filesize
28.6MB

Download
memory/4476-259-0x000000001BE80000-0x000000001BE88000-memory.dmp

Filesize
32KB

Download
memory/4636-194-0x000001B565910000-0x000001B565918000-memory.dmp

Filesize
32KB

Download