41c98ab0f0961cf6f27664bca7b5cd120b58c2ab20f0de58735be82d4273cddc

Analysis

max time kernel
342s
max time network
347s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 01:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GtagHorrorPCVRbyVidal.html
Size

312KB
MD5

6c28a6d557ed010a87e32e78ca56eb6c
SHA1

929ac702659b9982857ccd3b077efa5eaf99d03c
SHA256

41c98ab0f0961cf6f27664bca7b5cd120b58c2ab20f0de58735be82d4273cddc
SHA512

55b61385307a0b3bbedfe24313e8f3214185537310c6944aabdcebed70107dbf30d6a3afbf02acf61c7d5d1e2e68c68280393f68923419598b59e6f2fb74061a
SSDEEP

3072:ti0gAkHnjPIQ6KSEc/+RHDPaW+LN7DxRLlzglKDVbRk:vgAkHnjPIQBSEPjPCN7jBDVbRk

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GorillaTagHorror.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GorillaTagHorror.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	GorillaTagHorror.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GorillaTagHorror.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1548	msedge.exe
1548	msedge.exe
2516	msedge.exe
2516	msedge.exe
4984	identity_helper.exe
4984	identity_helper.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
1952	msedge.exe
4764	msedge.exe
4764	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4032	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4032	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2340	GorillaTagHorror.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 4376	2516	msedge.exe	83
PID 2516 wrote to memory of 4376	2516	msedge.exe	83
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 324	2516	msedge.exe	84
PID 2516 wrote to memory of 1548	2516	msedge.exe	85
PID 2516 wrote to memory of 1548	2516	msedge.exe	85
PID 2516 wrote to memory of 2040	2516	msedge.exe	86
PID 2516 wrote to memory of 2040	2516	msedge.exe	86
PID 2516 wrote to memory of 2040	2516	msedge.exe	86
PID 2516 wrote to memory of 2040	2516	msedge.exe	86
PID 2516 wrote to memory of 2040	2516	msedge.exe	86
PID 2516 wrote to memory of 2040	2516	msedge.exe	86
PID 2516 wrote to memory of 2040	2516	msedge.exe	86
PID 2516 wrote to memory of 2040	2516	msedge.exe	86
PID 2516 wrote to memory of 2040	2516	msedge.exe	86
PID 2516 wrote to memory of 2040	2516	msedge.exe	86
PID 2516 wrote to memory of 2040	2516	msedge.exe	86
PID 2516 wrote to memory of 2040	2516	msedge.exe	86
PID 2516 wrote to memory of 2040	2516	msedge.exe	86
PID 2516 wrote to memory of 2040	2516	msedge.exe	86
PID 2516 wrote to memory of 2040	2516	msedge.exe	86
PID 2516 wrote to memory of 2040	2516	msedge.exe	86
PID 2516 wrote to memory of 2040	2516	msedge.exe	86
PID 2516 wrote to memory of 2040	2516	msedge.exe	86
PID 2516 wrote to memory of 2040	2516	msedge.exe	86
PID 2516 wrote to memory of 2040	2516	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\GtagHorrorPCVRbyVidal.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd6dce46f8,0x7ffd6dce4708,0x7ffd6dce4718
  2⤵
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,5474116901701457138,16785069225523864265,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,5474116901701457138,16785069225523864265,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,5474116901701457138,16785069225523864265,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5474116901701457138,16785069225523864265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5474116901701457138,16785069225523864265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5474116901701457138,16785069225523864265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:2532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5474116901701457138,16785069225523864265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5474116901701457138,16785069225523864265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5474116901701457138,16785069225523864265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5474116901701457138,16785069225523864265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,5474116901701457138,16785069225523864265,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,5474116901701457138,16785069225523864265,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6356 /prefetch:8
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,5474116901701457138,16785069225523864265,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6356 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5474116901701457138,16785069225523864265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5474116901701457138,16785069225523864265,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:1268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5474116901701457138,16785069225523864265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5474116901701457138,16785069225523864265,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
  2⤵
  PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5474116901701457138,16785069225523864265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1
  2⤵
  PID:3972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5474116901701457138,16785069225523864265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,5474116901701457138,16785069225523864265,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4932 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,5474116901701457138,16785069225523864265,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6248 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5474116901701457138,16785069225523864265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:1
  2⤵
  PID:3564

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1244

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3500

C:\Users\Admin\Downloads\GtagHorrorPCVRbyVidal\GtagHorrorPCVRbyVidal\GorillaTagHorror.exe
"C:\Users\Admin\Downloads\GtagHorrorPCVRbyVidal\GtagHorrorPCVRbyVidal\GorillaTagHorror.exe"
1⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:2340
- C:\Users\Admin\Downloads\GtagHorrorPCVRbyVidal\GtagHorrorPCVRbyVidal\UnityCrashHandler64.exe
  "C:\Users\Admin\Downloads\GtagHorrorPCVRbyVidal\GtagHorrorPCVRbyVidal\UnityCrashHandler64.exe" --attach 2340 1913294098432
  2⤵
  PID:3372

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2cc 0x4ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
4e492788367ee3ca94b45e85dc6e4047

SHA1
a2f7bb1a5637153e3f86df45425689aec0dacfbc

SHA256
99fb79ac130b6e979e4faf30dd078bf6271bcf7acefbf63510c2fff389ffa4d6

SHA512
4bd89805b44b1dd7690b4914ae65ba8b048e66e2f9dd929b2087d2a3f2c56ed600bad6f8887fed80b34894850ccacdbb2fa2d90c0ab8517dcaff852fa24ce891

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
1efce3753b7e4f98aac3fdabefe97c96

SHA1
8755d4e618dccfd81ccdbd0488e595016478265e

SHA256
6040e4296eeaf7eb5520057e282c71cecbff36ec50de4016363263a7d6933830

SHA512
aa394111e44be015777694d2847ed702b38e73415fd08360078e16537d31eb44e819dfa81e294fea00e3adb2d0bc2d7a0e37436e173cf62089c262f5ec99c3c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
49d2555b7c893424e65efba7f8073f1c

SHA1
5a5507e090ea7bb2b920aee30ffb2846f0f73a76

SHA256
792be045a7b1bb7639eb3d94f8ca3743bef57b318b0a5a39384a3c2910b748ae

SHA512
4a95e019757d1fcbfbac1ef37decdb9e2551283d013ec137679f31f2070385b1f5886c307ea30f5725419ed1e84477d3a435827fa4354e66ce32954bbbff99a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8eba3bfafbd9c581df034b7e22439578

SHA1
d2d9bdf4e2a0d145e33c75e88ce2352981c7984d

SHA256
8d6f549ebfb93fbcbda7ae67dfecae5317fefe4e23798f41f62870cacf688fc5

SHA512
f3d2cd3e5caf13d55c83c46e19eee6291de3ccc8e1d265f1b2df1b3b3f18fc30ecc063aedcb6be11383e668f46f1bae5e8e26440c991827329c0d04e36ffafeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7f11a43fe223132dd112be6cdd20dadf

SHA1
f6807a80d769ea378f4f2b643449e9393f9f5ed1

SHA256
6c447ce3f440f6ab18668bbd2cdba73396d46cc36ef7c0ede1dd99302b9c9fb7

SHA512
94ee84f635c03991998338288138abab11abcd30b043680c0242b1b6916d3e0fdf4dbfc983c7543be31e188b725f61e4dc3c70fb60a4dae5caa0c06dfd67a6e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
854580d2572ef18f0ce3a45113c6752b

SHA1
233459912cc47720d3d43b15a506b511b24c0833

SHA256
3a43a2e5c5475891ae3a4ee7bf096863fa2351fba054e9c99c9bc37d79861f6b

SHA512
9da51c009ee0bdb66d381e8ffdfa38c88e6160ae21abffb6e677f0814baeb9363a7894205359143c9e5ca9aa88ff2156522e9a90dd19d5241691c97127e2f1da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
545822caa55bc4c2c4dbeaf75404ce27

SHA1
2c08b4e1f9a358f447d5d6619d250f231c6c44ef

SHA256
b0e37bbc6ee270c70ec2b47865343cfb79c64042ba6bf6a2c36f95293f6d81d6

SHA512
172d4cdbc2f6a124d1a263fcee4520d2a1585e0e2cdfe7206ab43b476fc28d85fec9b3784ad88e987b804a5a3a36628792e3d461585b646ed3b080ec448be107

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5804dd.TMP

Filesize
1KB

MD5
2e0d8e9d73cd8a5feb923216e678398c

SHA1
06cc1f016b94860086001650d65399ebfbb9dc28

SHA256
6d6401ed1721153b9a632a772618f701b39ab4c3a7e0d80c056cc818b2f7088b

SHA512
ba847b3b94391d4b120b5186ba1f2105bcebb55a10b4f64aef8d7b3df12d516367a640e7520ad26139830ec4c90a5009226258c4abbddce346c4266a4c445299

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e2329c11a50717013325bfeadb3870f2

SHA1
cc85ddaa5375be851bc1d6e9d8b0b793bb724773

SHA256
b98156067474ce2b5960f96f5f3cfdeb9433288bd284ac008cea0167394ac264

SHA512
aefcf66f604e590fc3a283cecb2c1a02979a55cd5f9e5ff99e3f3b247f1d0983057acfc89133b2b7989c47d7120ca10d03eb7eb7b231c6767afc4a6ef20a00a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d4bf9245776e6d3383d926f19cde9179

SHA1
ff030f783dd66cba6090ed83455bc191baeefb1a

SHA256
d8ed34dac73d3975f740c65a11e1c08e6c2ecf7f26e25dbf6a47d02f3296445a

SHA512
5b65b31e6d66edc187b8ee86ce21007ef11855ffd350bc46542f21af5086427c5646bb925497ce51e6fbdb2e61b36930bc997e083a7fb6111a175d4f4d603df3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2b1dbf6a7cde3573b967f7e7166abe85

SHA1
76f724d2dbce1d83ff25e10917e6934c19613645

SHA256
212b42cc7fc2c06827d54f2b2af69c9c73b932db4386d90837f2f2d56b1a0ac5

SHA512
813af942b341e2512037b2a9bffa7986071aa6305039163f33bb019912ba64f3d6c60ff58fce0aed3f29f4221ce963ecfafe3fa0623eb2eb300bd5960f789956

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2b38f0a48ba79fab595d6b68ea138c82

SHA1
0d1fd3db269946aa3dca35f7ef2017a7d58fe21f

SHA256
ce50cddeb24bd3e588ca27159f3cdf4a579d852b592243127a7dbdfe9362cceb

SHA512
049d8761299285103c8fb399c5b02aa686fbf6caa4045765d5d6f19c19798e5b1c373034f29adba765873b2e810298f0cf4d93916a86d53197df9a87f656e05f

Download Submit