hxxps://cdn[.]discordapp[.]com/attachments/1275591310652342335/1275601788837560321/GorillaExecutorSharp[.]7z?ex=66c67c3d&is=66c52abd&hm=004f82fbc672c702706006c7fbb91dee9be01bc2828ba221a9d143cab1681d26&

Analysis

max time kernel
629s
max time network
435s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 23:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1275591310652342335/1275601788837560321/GorillaExecutorSharp.7z?ex=66c67c3d&is=66c52abd&hm=004f82fbc672c702706006c7fbb91dee9be01bc2828ba221a9d143cab1681d26&

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
5144	GorillaTagExecutor.exe
5884	GorillaTagExecutor.exe
6120	GorillaTagExecutor.exe
4908	GorillaTagExecutor.exe
4520	GorillaTagExecutor.exe

Loads dropped DLL 5 IoCs

pid	Process
5144	GorillaTagExecutor.exe
5884	GorillaTagExecutor.exe
6120	GorillaTagExecutor.exe
4908	GorillaTagExecutor.exe
4520	GorillaTagExecutor.exe

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
5200	7zG.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4828	msedge.exe
4828	msedge.exe
1600	msedge.exe
1600	msedge.exe
1396	identity_helper.exe
1396	identity_helper.exe
4520	msedge.exe
4520	msedge.exe
5144	GorillaTagExecutor.exe
5144	GorillaTagExecutor.exe
5884	GorillaTagExecutor.exe
5884	GorillaTagExecutor.exe
6120	GorillaTagExecutor.exe
6120	GorillaTagExecutor.exe
4908	GorillaTagExecutor.exe
4908	GorillaTagExecutor.exe
4520	GorillaTagExecutor.exe
4520	GorillaTagExecutor.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4024	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeRestorePrivilege	5200	7zG.exe
Token: 35	5200	7zG.exe
Token: SeSecurityPrivilege	5200	7zG.exe
Token: SeSecurityPrivilege	5200	7zG.exe
Token: SeDebugPrivilege	5144	GorillaTagExecutor.exe
Token: SeDebugPrivilege	5884	GorillaTagExecutor.exe
Token: SeDebugPrivilege	6120	GorillaTagExecutor.exe
Token: SeDebugPrivilege	4908	GorillaTagExecutor.exe
Token: SeDebugPrivilege	4520	GorillaTagExecutor.exe
Token: SeDebugPrivilege	5440	taskmgr.exe
Token: SeSystemProfilePrivilege	5440	taskmgr.exe
Token: SeCreateGlobalPrivilege	5440	taskmgr.exe
Token: 33	5440	taskmgr.exe
Token: SeIncBasePriorityPrivilege	5440	taskmgr.exe
Token: SeDebugPrivilege	4024	taskmgr.exe
Token: SeSystemProfilePrivilege	4024	taskmgr.exe
Token: SeCreateGlobalPrivilege	4024	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
5200	7zG.exe
5200	7zG.exe
1600	msedge.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4488	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 1036	1600	msedge.exe	84
PID 1600 wrote to memory of 1036	1600	msedge.exe	84
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4688	1600	msedge.exe	87
PID 1600 wrote to memory of 4828	1600	msedge.exe	88
PID 1600 wrote to memory of 4828	1600	msedge.exe	88
PID 1600 wrote to memory of 4000	1600	msedge.exe	89
PID 1600 wrote to memory of 4000	1600	msedge.exe	89
PID 1600 wrote to memory of 4000	1600	msedge.exe	89
PID 1600 wrote to memory of 4000	1600	msedge.exe	89
PID 1600 wrote to memory of 4000	1600	msedge.exe	89
PID 1600 wrote to memory of 4000	1600	msedge.exe	89
PID 1600 wrote to memory of 4000	1600	msedge.exe	89
PID 1600 wrote to memory of 4000	1600	msedge.exe	89
PID 1600 wrote to memory of 4000	1600	msedge.exe	89
PID 1600 wrote to memory of 4000	1600	msedge.exe	89
PID 1600 wrote to memory of 4000	1600	msedge.exe	89
PID 1600 wrote to memory of 4000	1600	msedge.exe	89
PID 1600 wrote to memory of 4000	1600	msedge.exe	89
PID 1600 wrote to memory of 4000	1600	msedge.exe	89
PID 1600 wrote to memory of 4000	1600	msedge.exe	89
PID 1600 wrote to memory of 4000	1600	msedge.exe	89
PID 1600 wrote to memory of 4000	1600	msedge.exe	89
PID 1600 wrote to memory of 4000	1600	msedge.exe	89
PID 1600 wrote to memory of 4000	1600	msedge.exe	89
PID 1600 wrote to memory of 4000	1600	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1275591310652342335/1275601788837560321/GorillaExecutorSharp.7z?ex=66c67c3d&is=66c52abd&hm=004f82fbc672c702706006c7fbb91dee9be01bc2828ba221a9d143cab1681d26&
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab4c846f8,0x7ffab4c84708,0x7ffab4c84718
  2⤵
  PID:1036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,4125445678128297704,8310422743953717833,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,4125445678128297704,8310422743953717833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,4125445678128297704,8310422743953717833,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2456 /prefetch:8
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4125445678128297704,8310422743953717833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4125445678128297704,8310422743953717833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:2744
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,4125445678128297704,8310422743953717833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,4125445678128297704,8310422743953717833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2184,4125445678128297704,8310422743953717833,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4764 /prefetch:8
  2⤵
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4125445678128297704,8310422743953717833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2184,4125445678128297704,8310422743953717833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4476

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3284

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4488

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5136

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\GorillaExecutorSharp\" -ad -an -ai#7zMap21510:100:7zEvent19188
1⤵
- Network Service Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5200

C:\Users\Admin\Downloads\GorillaExecutorSharp\GorillaTagExecutor.exe
"C:\Users\Admin\Downloads\GorillaExecutorSharp\GorillaTagExecutor.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5144

C:\Users\Admin\Downloads\GorillaExecutorSharp\GorillaTagExecutor.exe
"C:\Users\Admin\Downloads\GorillaExecutorSharp\GorillaTagExecutor.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5884

C:\Users\Admin\Downloads\GorillaExecutorSharp\GorillaTagExecutor.exe
"C:\Users\Admin\Downloads\GorillaExecutorSharp\GorillaTagExecutor.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6120

C:\Users\Admin\Downloads\GorillaExecutorSharp\GorillaTagExecutor.exe
"C:\Users\Admin\Downloads\GorillaExecutorSharp\GorillaTagExecutor.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Users\Admin\Downloads\GorillaExecutorSharp\GorillaTagExecutor.exe
"C:\Users\Admin\Downloads\GorillaExecutorSharp\GorillaTagExecutor.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5440

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:4024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4778717c-ea3c-4497-aad2-3b874c161909.tmp

Filesize
6KB

MD5
030c024019389d407648a6adc6f10e10

SHA1
2cb5b14a0d51a41e211b8edec81bd1ee7f67533a

SHA256
18370196c2636282c3cd834b1cced9a7ae8a2fb59ba24106c729c0f0100674f4

SHA512
2262b66966b8e3828521c5f920d7ad3231d3aca7ba64aa289a534fb1d6f1d99d64a6e087dc821f0de31912557002a37c162dd099dad41924fe52cf80b1fd707e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b501db6c89677be000d60d8da57de35f

SHA1
a817f23e194fd3c40f422b158c444881248d744c

SHA256
5bbccc71dd5e531c6bb815661ef33344bc0ee6dc69901e03929c730183a8ac24

SHA512
060776c981501b5d4868150e60e58c9f260e8828875570ed1fbf2627e7c01277d81ee43f8acb15092b259e3031a54a82b792ef1e1d6e351f0cbedd6fff106c9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3e0a8086f96d60212d6ff50e58cf2b36

SHA1
f7d355468d0db8a3442bd0fd4c86557958951cbc

SHA256
fdb543856dca26df95031083eaef200c14a384684551f29c63db911d495649a2

SHA512
4e9fb013b63b5cf4f9effaeadcb0db6ba67b6adc5ff3532bfb4415f7de739f51fbb5f96e9abf962bf0f743f76fad8f78ced2921a3aadf8a42e7b4044628feb32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bac9612cd061af2c5f13a531d07433be

SHA1
151ceeec19eeb10dd9aca5a6fdac227ff5a7d145

SHA256
68b9d43400984835bc9f5d7b93f1f4783c8cbe4f64e168833f1efbf35821a1ac

SHA512
57019e495825fb4355e7f1b883f89b486e80f4593a77628a5c61a2b5262bacdf4e97a930cc933c3475e36b737b0de32076711e7a5c75d96fc4e72d67b2960585

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c3e0e7123629bf7c9df57880a9651da0

SHA1
11613d75ae18b907559c34b422d4a1a5ef9db86c

SHA256
8775e3a7b20c28769e3f8cdd03d4281d90140613cb50398bbd6c2b7a84fc29a4

SHA512
84f633f052ae07cd59ef2c8424c254beda5c28de6935faf443c457f6f83ef1f1ceec74c781fdbd24c7d4d117e8eadf382f288218ab3e7847180f7330f4474839

Download Submit
C:\Users\Admin\Downloads\GorillaExecutorSharp.7z

Filesize
17.8MB

MD5
8ee4926d9833f7731e0a2193e12f1ece

SHA1
f43b3a8335616c7d4e4d30aff08fc5d91f7416e8

SHA256
f99576590c884e7e71d3e0b65f2dcc92825fb09de2071c9c16cae3a6ca62519d

SHA512
b55e163c78ff6cf84cd3e0aa2ee57c4b5eaa337731af9493c427685908d38e33e4c070025f67c61dae7ba6e076d6c6aade64356f5e5c2932c30e1405605eba1b

Download Submit
C:\Users\Admin\Downloads\GorillaExecutorSharp\GorillaTagExecutor.deps.json

Filesize
2KB

MD5
10ba74c9600fbc8a1525363e308d08b7

SHA1
7f9b6f2076b06d63171b2b53055146aee4b614f2

SHA256
3a52152ec0028f9b59dabf83957e01527841b916babe7ed3e8d260ed9501b219

SHA512
886a4805582d780b8786589a8c71263ec745ab7727d99bd88e1d2aa40ed88f4d06fb894c0d574697622b042e3510e0d516405b13aba5210f2d6bc28251eb55da

Download Submit
C:\Users\Admin\Downloads\GorillaExecutorSharp\GorillaTagExecutor.dll

Filesize
60KB

MD5
9154ac79353b2ae89e4818945cb4268e

SHA1
120321fa85de4db7193bdacb00088cd6986a56a4

SHA256
a1216f2c13011c3d5130e2b3d648901e85ebb37409b6f16bb13ee745f6ce7c4c

SHA512
03faf476a91d7ac75c63e06e43c7e571a55ecae9eef9888b5e5ed5d4ed4eaa312e67a3c2a88ca7716f9c7880fc4c926ea1ea11fa0577bf385196a9152f20bf30

Download Submit
C:\Users\Admin\Downloads\GorillaExecutorSharp\GorillaTagExecutor.exe

Filesize
146KB

MD5
9635589da154273cb478f2088cc6ec8c

SHA1
6dd3a23e6163b240a4536d7d926703b5ac2e50d9

SHA256
f276ee315950ee9611b836b3d18f71674020c6cc807427e2facdccf2ccece674

SHA512
885e9533bf180148a7e8340d08f5cffdbd66ca6ba97bb7612dfbbaf3d34b56cc95a0878391128040b8998ce5b697a75205b382bfd9e804810ea0a3d78f76a257

Download Submit
C:\Users\Admin\Downloads\GorillaExecutorSharp\GorillaTagExecutor.exe.WebView2\EBWebView\Default\Extension State\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\Downloads\GorillaExecutorSharp\GorillaTagExecutor.exe.WebView2\EBWebView\Default\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\Downloads\GorillaExecutorSharp\GorillaTagExecutor.exe.WebView2\EBWebView\Default\Shared Dictionary\cache\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\Downloads\GorillaExecutorSharp\GorillaTagExecutor.runtimeconfig.json

Filesize
266B

MD5
d720176a229e9d969b40fabeb0baf62e

SHA1
f2d8e97a6c6098a10dd80553eaaef7547ad32ba3

SHA256
321b4e463bbacd6113aa337511bdebf5e7356e9971744346b28424607c7b483a

SHA512
0844f9aca147014a68248c43310bf97e0a0a3679fc84650aa0a27aa09f70f56fa071c0ace1be80f0e33ce4dd3f865eae11e946d98d21af916dc1a7f945acaba0

Download Submit
C:\Users\Admin\Downloads\GorillaExecutorSharp\Microsoft.Web.WebView2.Core.dll

Filesize
557KB

MD5
2ab84dc690059b2bd34d2f00561d6af4

SHA1
49b665b40a5ae995edfec80caf7e409c9795e9dd

SHA256
a1e096c6842b9f443679f47e321379d15e1f93c77fd0b6d32b9eb0e93e25ac89

SHA512
80d1c0fbe937655f1e78549c4bdaaa7d8aa55a74945c16f3663fe270c0a715eb7f89dc66490a0164f33444aece768a41e894bdcaa50ce2f88a6dab77b9809afa

Download Submit
C:\Users\Admin\Downloads\GorillaExecutorSharp\Microsoft.Web.WebView2.Wpf.dll

Filesize
50KB

MD5
ffb9d7f6546e00c3a97edcc0ed0091f2

SHA1
cdf7aa51565725c9efe548ac7258da025a4d8b34

SHA256
744b0e990f9eb292abddbe021f38be86912386207e0fb352a6ec804b61d42d97

SHA512
16c1c1a0477c7f7839514783b60cd4759e9ae01e11567820d11234337951cca819475e658026d97df3e6c7277cd575581887c0056cda8cfc8a83a448b375f3c6

Download Submit
C:\Users\Admin\Downloads\GorillaExecutorSharp\runtimes\win-x64\native\WebView2Loader.dll

Filesize
161KB

MD5
d2033aa3200206b0d44255a36686124e

SHA1
e34b92f052afc26412298dde95088fd1bdf20c09

SHA256
e2004ecd9ddebd1bb7edfff5fa62781fe037eca4282c2be3483dc6f78779899c

SHA512
e266b16a265262447a7f4e3d2fea99b273976102206a4287e635164f9de7e40a8f9b3548da7a9a412530ca8f65a1a27e4a2c7ad55c05b9b58b78ae3f93703773

Download Submit
C:\Users\Admin\Downloads\GorillaExecutorSharp\wwwroot\node_modules\monaco-editor\esm\vs\base\browser\ui\iconLabel\iconHoverDelegate.js

Filesize
363B

MD5
dd263e5dbcdedd3493e61d0c57df0f4b

SHA1
128c04e296589029cee7103263a115c68bf04343

SHA256
09a97316f8af849b49abe77e72e13f0d587c2527dfeaa7f3bc8d0015438eeeab

SHA512
e22d08f9b3ffc9e9089a11f774f5e0b14a2c89dc1bca715d8190c0173bbd8c76cb53bb8474b381b32254df9986043c4f6fd5c613f823b0ee629a4ffa2e2fdc6a

Download Submit
C:\Users\Admin\Downloads\GorillaExecutorSharp\wwwroot\node_modules\monaco-editor\esm\vs\base\common\sequence.js

Filesize
11B

MD5
e2ebd7ddedcadeeadbf819c35985c768

SHA1
b878c11a77128e74c3cf15c93ef2ceddf2aa0b38

SHA256
8e609bb71c20b858c77f0e9f90bb1319db8477b13f9f965f1a1e18524bf50881

SHA512
4ee1c88f8c3f4e4cd34cb6c00339bf9d6d036ff4ade3af49e871cc8966b84c729d8b75492acc6413c9a664ac00a57958223ac13c4229da8c62ebe6a53e4f783f

Download Submit
C:\Users\Admin\Downloads\GorillaExecutorSharp\wwwroot\node_modules\monaco-editor\min\vs\base\browser\ui\codicons\codicon\codicon.ttf

Filesize
70KB

MD5
d28098974f2b7d57f46d1672a3ccd985

SHA1
1f9133d3abe06abd2f7af6209de11474b509e8a0

SHA256
71cccbf15f547a7392f5f2e0ae0c42d5b64cb29ba690eb346b3cb2aa5e4a19e7

SHA512
2359476de4fc85a88e39c665112d49d7b54a50d8b5878b894f5a69cec468be144c333d275de0dc515fd89dd62a811633d2060387df142e24a1709d5786ca0164

Download Submit
memory/4024-2837-0x0000020CED550000-0x0000020CED551000-memory.dmp

Filesize
4KB

Download
memory/4024-2844-0x0000020CED550000-0x0000020CED551000-memory.dmp

Filesize
4KB

Download
memory/4024-2846-0x0000020CED550000-0x0000020CED551000-memory.dmp

Filesize
4KB

Download
memory/4024-2845-0x0000020CED550000-0x0000020CED551000-memory.dmp

Filesize
4KB

Download
memory/4024-2847-0x0000020CED550000-0x0000020CED551000-memory.dmp

Filesize
4KB

Download
memory/4024-2848-0x0000020CED550000-0x0000020CED551000-memory.dmp

Filesize
4KB

Download
memory/4024-2849-0x0000020CED550000-0x0000020CED551000-memory.dmp

Filesize
4KB

Download
memory/4024-2838-0x0000020CED550000-0x0000020CED551000-memory.dmp

Filesize
4KB

Download
memory/4024-2839-0x0000020CED550000-0x0000020CED551000-memory.dmp

Filesize
4KB

Download
memory/5440-2824-0x00000206ECFC0000-0x00000206ECFC1000-memory.dmp

Filesize
4KB

Download
memory/5440-2834-0x00000206ECFC0000-0x00000206ECFC1000-memory.dmp

Filesize
4KB

Download
memory/5440-2826-0x00000206ECFC0000-0x00000206ECFC1000-memory.dmp

Filesize
4KB

Download
memory/5440-2825-0x00000206ECFC0000-0x00000206ECFC1000-memory.dmp

Filesize
4KB

Download
memory/5440-2836-0x00000206ECFC0000-0x00000206ECFC1000-memory.dmp

Filesize
4KB

Download
memory/5440-2830-0x00000206ECFC0000-0x00000206ECFC1000-memory.dmp

Filesize
4KB

Download
memory/5440-2831-0x00000206ECFC0000-0x00000206ECFC1000-memory.dmp

Filesize
4KB

Download
memory/5440-2832-0x00000206ECFC0000-0x00000206ECFC1000-memory.dmp

Filesize
4KB

Download
memory/5440-2833-0x00000206ECFC0000-0x00000206ECFC1000-memory.dmp

Filesize
4KB

Download
memory/5440-2835-0x00000206ECFC0000-0x00000206ECFC1000-memory.dmp

Filesize
4KB

Download