silverrat | hxxps://mega[.]nz/folder/e2QEQRDD#JMZLrY1gXd4ZW-IDnzWljw

Analysis

max time kernel
94s
max time network
95s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
08/03/2025, 22:15

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://mega.nz/folder/e2QEQRDD#JMZLrY1gXd4ZW-IDnzWljw

Score

10^/10

silverrat defense_evasion discovery execution persistence trojan upx

Malware Config

Extracted

Family

silverrat

Version

1.0.0.0

Mutex

SilverMutex_EZMDaghRAK

Attributes

certificate
MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==
decrypted_key
-|S.S.S|-
discord
https://discord.com/api/webhooks/1344190210203975710/llWGKbVGP8KFjTLbojySgUGmRZ-7w1XiROSsUTWS4cwLV54tR8hpAm5WBow8QrkHvn-k
key
yy6zDjAUmbB09pKvo5Hhug==
key_x509
dmthUlBIaHJSb3BpbVJEa1JUQVJtbllUWUR2TWFZ
payload_url
https://g.top4top.io/p_2522c7w8u1.png
reconnect_delay
3443
server_signature
OCjxeZ8fdb/ngTEL4g1gLuCJlPbmz2jouEwmleUcZyEJYA+WqhSq18n0CCapT7+9pilgBq+I3lTRrqT8nW47hzNaagZwauFhzN8WaPNFA9N8F2G/RxrFELr1IUYL8mK2EBMsYAJX8cY5qX9Umx0s8N7yNOPPJNs4QNYGc1TDraKBwNX41dleV8CCFHuw/9TYGyT9afq8HE6bONYKyMkF/Z+fxlVGfh8L64hYBX1wNZzqf51UrCRDhPnBJcAOfgVWd/AQuas2bIaetecGoc3qxpEJ2FOi8FrtYfvKYeA77Jzz6DpEjKN31C6CazjyXYGKAQN+LewPlDjQOTrIVmrComYHrqRCfG1kZtT+FIN00lTR+xKG8wksKyqbfTN+gWFvOopy2HFFjY6aoqtkkUTtc4tnq4AtL1rXfzrizLRuKqPlSip8PD5l+vMwi8vkLaDXOHnveimQ7eUxhEyCwB5LrFbCjZvTItw8iB0GLUVhGz1RZNOj98bHbdqwhW6cGGOGswinVK9b05nUnUY0zVoEZ8sHtv5SbvbBq0QYaoOmpVk+FpUiIvbrlRpZfgdep+YVtvaTf2sOLRbQd7Obr0Y0M/X4kyGU0AEawpw7ctO28qa7sHehFI7LPqAdZF8hsYxuT/+t9Gk5MJoaopa71JbhQlJn7+eFcGnmRwwihARJUe8=

Signatures

SilverRat
SilverRat is trojan written in C#.
trojan silverrat
Silverrat family
silverrat

Enumerates VirtualBox DLL files 2 TTPs 6 IoCs

File and Directory Discovery

T1083

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened (read-only)	C:\windows\system32\vboxhook.dll	FIXED FINALLY.exe
File opened (read-only)	C:\windows\system32\vboxmrxnp.dll	FIXED FINALLY.exe
File opened (read-only)	C:\windows\system32\vboxhook.dll	SystemUpdates.exe
File opened (read-only)	C:\windows\system32\vboxmrxnp.dll	SystemUpdates.exe
File opened (read-only)	C:\windows\system32\vboxhook.dll	FIXED FINALLY.exe
File opened (read-only)	C:\windows\system32\vboxmrxnp.dll	FIXED FINALLY.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5736	powershell.exe
4292	powershell.exe
5128	powershell.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5616	attrib.exe

Executes dropped EXE 3 IoCs

pid	Process
2876	SystemUpdates.exe
5592	SystemUpdates.exe
4912	HP_Updates.exe

Loads dropped DLL 64 IoCs

pid	Process
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemUpdates = "C:\\Users\\Admin\\SystemUpdates\\SystemUpdates.exe"	FIXED FINALLY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\HP_Drivers\\HP_Updates.exe\""	KorosGT.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
2	discord.com
79	discord.com
81	discord.com

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001700000002b4ca-1705.dat	upx
behavioral1/memory/5500-1708-0x00007FF93DA50000-0x00007FF93E042000-memory.dmp	upx
behavioral1/files/0x001900000002b02b-1710.dat	upx
behavioral1/files/0x001700000002b474-1715.dat	upx
behavioral1/files/0x001c00000002b029-1720.dat	upx
behavioral1/memory/5500-1721-0x00007FF954FE0000-0x00007FF954FF9000-memory.dmp	upx
behavioral1/memory/5500-1719-0x00007FF95E8B0000-0x00007FF95E8BF000-memory.dmp	upx
behavioral1/memory/5500-1716-0x00007FF958800000-0x00007FF958824000-memory.dmp	upx
behavioral1/files/0x001900000002b031-1722.dat	upx
behavioral1/memory/5500-1724-0x00007FF954C70000-0x00007FF954C9D000-memory.dmp	upx
behavioral1/memory/5500-1753-0x00007FF954ED0000-0x00007FF954EE4000-memory.dmp	upx
behavioral1/memory/5500-1754-0x00007FF93D520000-0x00007FF93DA49000-memory.dmp	upx
behavioral1/memory/5500-1755-0x00007FF95E960000-0x00007FF95E979000-memory.dmp	upx
behavioral1/memory/5500-1759-0x00007FF93DA50000-0x00007FF93E042000-memory.dmp	upx
behavioral1/memory/5500-1758-0x00007FF954D40000-0x00007FF954D73000-memory.dmp	upx
behavioral1/memory/5500-1757-0x00007FF93D450000-0x00007FF93D51D000-memory.dmp	upx
behavioral1/memory/5500-1756-0x00007FF95E950000-0x00007FF95E95D000-memory.dmp	upx
behavioral1/memory/5500-1760-0x00007FF95E940000-0x00007FF95E94D000-memory.dmp	upx
behavioral1/memory/5500-1761-0x00007FF958800000-0x00007FF958824000-memory.dmp	upx
behavioral1/memory/5500-1763-0x00007FF958AB0000-0x00007FF958AD7000-memory.dmp	upx
behavioral1/memory/5500-1765-0x00007FF93D330000-0x00007FF93D44C000-memory.dmp	upx
behavioral1/memory/5500-1764-0x00007FF954FE0000-0x00007FF954FF9000-memory.dmp	upx
behavioral1/memory/5500-1762-0x00007FF959810000-0x00007FF95981B000-memory.dmp	upx
behavioral1/memory/5500-1766-0x00007FF954D00000-0x00007FF954D37000-memory.dmp	upx
behavioral1/memory/5500-1768-0x00007FF955DF0000-0x00007FF955DFB000-memory.dmp	upx
behavioral1/memory/5500-1767-0x00007FF954ED0000-0x00007FF954EE4000-memory.dmp	upx
behavioral1/memory/5500-1784-0x00007FF9549C0000-0x00007FF9549CB000-memory.dmp	upx
behavioral1/memory/5500-1783-0x00007FF958AB0000-0x00007FF958AD7000-memory.dmp	upx
behavioral1/memory/5500-1782-0x00007FF954C40000-0x00007FF954C4C000-memory.dmp	upx
behavioral1/memory/5500-1781-0x00007FF954C50000-0x00007FF954C5E000-memory.dmp	upx
behavioral1/memory/5500-1780-0x00007FF95E940000-0x00007FF95E94D000-memory.dmp	upx
behavioral1/memory/5500-1779-0x00007FF954C60000-0x00007FF954C6D000-memory.dmp	upx
behavioral1/memory/5500-1778-0x00007FF954D40000-0x00007FF954D73000-memory.dmp	upx
behavioral1/memory/5500-1777-0x00007FF93D450000-0x00007FF93D51D000-memory.dmp	upx
behavioral1/memory/5500-1776-0x00007FF954E00000-0x00007FF954E0C000-memory.dmp	upx
behavioral1/memory/5500-1775-0x00007FF95E960000-0x00007FF95E979000-memory.dmp	upx
behavioral1/memory/5500-1774-0x00007FF955C20000-0x00007FF955C2C000-memory.dmp	upx
behavioral1/memory/5500-1773-0x00007FF954E10000-0x00007FF954E1B000-memory.dmp	upx
behavioral1/memory/5500-1772-0x00007FF954F60000-0x00007FF954F6C000-memory.dmp	upx
behavioral1/memory/5500-1771-0x00007FF954FD0000-0x00007FF954FDB000-memory.dmp	upx
behavioral1/memory/5500-1770-0x00007FF955CB0000-0x00007FF955CBB000-memory.dmp	upx
behavioral1/memory/5500-1769-0x00007FF93D520000-0x00007FF93DA49000-memory.dmp	upx
behavioral1/memory/5500-1785-0x00007FF9549B0000-0x00007FF9549BB000-memory.dmp	upx
behavioral1/memory/5500-1792-0x00007FF954D00000-0x00007FF954D37000-memory.dmp	upx
behavioral1/memory/5500-1791-0x00007FF950AB0000-0x00007FF950ABD000-memory.dmp	upx
behavioral1/memory/5500-1790-0x00007FF950AA0000-0x00007FF950AAC000-memory.dmp	upx
behavioral1/memory/5500-1789-0x00007FF949E70000-0x00007FF949E82000-memory.dmp	upx
behavioral1/memory/5500-1788-0x00007FF951580000-0x00007FF95158B000-memory.dmp	upx
behavioral1/memory/5500-1787-0x00007FF951590000-0x00007FF95159C000-memory.dmp	upx
behavioral1/memory/5500-1786-0x00007FF93D330000-0x00007FF93D44C000-memory.dmp	upx
behavioral1/memory/5500-1793-0x00007FF944420000-0x00007FF944435000-memory.dmp	upx
behavioral1/memory/5500-1794-0x00007FF944400000-0x00007FF944412000-memory.dmp	upx
behavioral1/memory/5500-1797-0x00007FF944120000-0x00007FF944142000-memory.dmp	upx
behavioral1/memory/5500-1796-0x00007FF954E00000-0x00007FF954E0C000-memory.dmp	upx
behavioral1/memory/5500-1795-0x00007FF944150000-0x00007FF944164000-memory.dmp	upx
behavioral1/memory/5500-1798-0x00007FF944100000-0x00007FF94411B000-memory.dmp	upx
behavioral1/memory/5500-1799-0x00007FF9440E0000-0x00007FF9440F9000-memory.dmp	upx
behavioral1/memory/5500-1800-0x00007FF942190000-0x00007FF9421DD000-memory.dmp	upx
behavioral1/memory/5500-1802-0x00007FF941CD0000-0x00007FF941D02000-memory.dmp	upx
behavioral1/memory/5500-1801-0x00007FF9440C0000-0x00007FF9440D1000-memory.dmp	upx
behavioral1/memory/5500-1803-0x00007FF941CB0000-0x00007FF941CCE000-memory.dmp	upx
behavioral1/memory/5500-1805-0x00007FF93D2D0000-0x00007FF93D32D000-memory.dmp	upx
behavioral1/memory/5500-1804-0x00007FF944420000-0x00007FF944435000-memory.dmp	upx
behavioral1/memory/5500-1808-0x00007FF93D270000-0x00007FF93D29E000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3168	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
5008	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "223"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Koros Gorilla Tag.zip:Zone.Identifier	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
864	schtasks.exe
3048	schtasks.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
4796	msedge.exe
4796	msedge.exe
5992	msedge.exe
5992	msedge.exe
5068	msedge.exe
5068	msedge.exe
6092	identity_helper.exe
6092	identity_helper.exe
2336	msedge.exe
2336	msedge.exe
3200	KorosGT.exe
3200	KorosGT.exe
3200	KorosGT.exe
3200	KorosGT.exe
3200	KorosGT.exe
3200	KorosGT.exe
3200	KorosGT.exe
3200	KorosGT.exe
3200	KorosGT.exe
3200	KorosGT.exe
3200	KorosGT.exe
3200	KorosGT.exe
3200	KorosGT.exe
3200	KorosGT.exe
3200	KorosGT.exe
3200	KorosGT.exe
3200	KorosGT.exe
3200	KorosGT.exe
3200	KorosGT.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5500	FIXED FINALLY.exe
5736	powershell.exe
5736	powershell.exe
5592	SystemUpdates.exe
5592	SystemUpdates.exe
5592	SystemUpdates.exe
5592	SystemUpdates.exe
4292	powershell.exe
4292	powershell.exe
5220	powershell.exe
5220	powershell.exe
5128	powershell.exe
5128	powershell.exe
4912	HP_Updates.exe
32	FIXED FINALLY.exe
32	FIXED FINALLY.exe
32	FIXED FINALLY.exe
32	FIXED FINALLY.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: 33	5456	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5456	AUDIODG.EXE
Token: SeDebugPrivilege	3200	KorosGT.exe
Token: SeDebugPrivilege	5500	FIXED FINALLY.exe
Token: SeDebugPrivilege	5736	powershell.exe
Token: SeDebugPrivilege	5008	taskkill.exe
Token: SeDebugPrivilege	5592	SystemUpdates.exe
Token: SeDebugPrivilege	4292	powershell.exe
Token: SeDebugPrivilege	5220	powershell.exe
Token: SeIncreaseQuotaPrivilege	5220	powershell.exe
Token: SeSecurityPrivilege	5220	powershell.exe
Token: SeTakeOwnershipPrivilege	5220	powershell.exe
Token: SeLoadDriverPrivilege	5220	powershell.exe
Token: SeSystemProfilePrivilege	5220	powershell.exe
Token: SeSystemtimePrivilege	5220	powershell.exe
Token: SeProfSingleProcessPrivilege	5220	powershell.exe
Token: SeIncBasePriorityPrivilege	5220	powershell.exe
Token: SeCreatePagefilePrivilege	5220	powershell.exe
Token: SeBackupPrivilege	5220	powershell.exe
Token: SeRestorePrivilege	5220	powershell.exe
Token: SeShutdownPrivilege	5220	powershell.exe
Token: SeDebugPrivilege	5220	powershell.exe
Token: SeSystemEnvironmentPrivilege	5220	powershell.exe
Token: SeRemoteShutdownPrivilege	5220	powershell.exe
Token: SeUndockPrivilege	5220	powershell.exe
Token: SeManageVolumePrivilege	5220	powershell.exe
Token: 33	5220	powershell.exe
Token: 34	5220	powershell.exe
Token: 35	5220	powershell.exe
Token: 36	5220	powershell.exe
Token: SeDebugPrivilege	4912	HP_Updates.exe
Token: SeDebugPrivilege	5128	powershell.exe
Token: SeDebugPrivilege	32	FIXED FINALLY.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe
5992	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5592	SystemUpdates.exe
4912	HP_Updates.exe
6948	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5992 wrote to memory of 1472	5992	msedge.exe	80
PID 5992 wrote to memory of 1472	5992	msedge.exe	80
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 5700	5992	msedge.exe	82
PID 5992 wrote to memory of 4796	5992	msedge.exe	83
PID 5992 wrote to memory of 4796	5992	msedge.exe	83
PID 5992 wrote to memory of 3984	5992	msedge.exe	84
PID 5992 wrote to memory of 3984	5992	msedge.exe	84
PID 5992 wrote to memory of 3984	5992	msedge.exe	84
PID 5992 wrote to memory of 3984	5992	msedge.exe	84
PID 5992 wrote to memory of 3984	5992	msedge.exe	84
PID 5992 wrote to memory of 3984	5992	msedge.exe	84
PID 5992 wrote to memory of 3984	5992	msedge.exe	84
PID 5992 wrote to memory of 3984	5992	msedge.exe	84
PID 5992 wrote to memory of 3984	5992	msedge.exe	84
PID 5992 wrote to memory of 3984	5992	msedge.exe	84
PID 5992 wrote to memory of 3984	5992	msedge.exe	84
PID 5992 wrote to memory of 3984	5992	msedge.exe	84
PID 5992 wrote to memory of 3984	5992	msedge.exe	84
PID 5992 wrote to memory of 3984	5992	msedge.exe	84
PID 5992 wrote to memory of 3984	5992	msedge.exe	84
PID 5992 wrote to memory of 3984	5992	msedge.exe	84
PID 5992 wrote to memory of 3984	5992	msedge.exe	84
PID 5992 wrote to memory of 3984	5992	msedge.exe	84
PID 5992 wrote to memory of 3984	5992	msedge.exe	84
PID 5992 wrote to memory of 3984	5992	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5616	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/folder/e2QEQRDD#JMZLrY1gXd4ZW-IDnzWljw
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff955223cb8,0x7ff955223cc8,0x7ff955223cd8
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,8505024646796045337,2601940779048373061,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:5700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,8505024646796045337,2601940779048373061,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,8505024646796045337,2601940779048373061,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,8505024646796045337,2601940779048373061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,8505024646796045337,2601940779048373061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:32
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1928,8505024646796045337,2601940779048373061,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,8505024646796045337,2601940779048373061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1928,8505024646796045337,2601940779048373061,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,8505024646796045337,2601940779048373061,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,8505024646796045337,2601940779048373061,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,8505024646796045337,2601940779048373061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:5888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,8505024646796045337,2601940779048373061,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
  2⤵
  PID:5892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,8505024646796045337,2601940779048373061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,8505024646796045337,2601940779048373061,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,8505024646796045337,2601940779048373061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,8505024646796045337,2601940779048373061,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6280 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,8505024646796045337,2601940779048373061,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:1
  2⤵
  PID:2984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1412

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004D8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5456

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\Temp1_Koros Gorilla Tag.zip\Koros Gorilla Tag\KorosGT.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Koros Gorilla Tag.zip\Koros Gorilla Tag\KorosGT.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBBE8.tmp.bat""
  2⤵
  PID:4152
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3168
- - C:\Users\Admin\HP_Drivers\HP_Updates.exe
    "C:\Users\Admin\HP_Drivers\HP_Updates.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4912
  - - C:\Windows\system32\schtasks.exe
      "schtasks.exe" /query /TN HP_Updates.exe
      4⤵
      PID:840
  - - C:\Windows\system32\schtasks.exe
      "schtasks.exe" /Create /SC ONCE /TN "HP_Updates.exe" /TR "C:\Users\Admin\HP_Drivers\HP_Updates.exe \"\HP_Updates.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:864
  - - C:\Windows\system32\schtasks.exe
      "schtasks.exe" /query /TN HP_Updates.exe
      4⤵
      PID:2160
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5128
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc hourly /mo 1 /tn "HP_Updates_Task-HOURLY-01" /tr "%MyFile%" /st 00:00
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3048

C:\Users\Admin\AppData\Local\Temp\Temp1_Koros Gorilla Tag.zip\Koros Gorilla Tag\FIXED FINALLY.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Koros Gorilla Tag.zip\Koros Gorilla Tag\FIXED FINALLY.exe"
1⤵
PID:4252
- C:\Users\Admin\AppData\Local\Temp\Temp1_Koros Gorilla Tag.zip\Koros Gorilla Tag\FIXED FINALLY.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_Koros Gorilla Tag.zip\Koros Gorilla Tag\FIXED FINALLY.exe"
  2⤵
  - Enumerates VirtualBox DLL files
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:5244
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\SystemUpdates\""
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\SystemUpdates\activate.bat
    3⤵
    PID:560
  - - C:\Windows\system32\attrib.exe
      attrib +s +h .
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:5616
  - - C:\Users\Admin\SystemUpdates\SystemUpdates.exe
      "SystemUpdates.exe"
      4⤵
      Executes dropped EXE
      PID:2876
    - - C:\Users\Admin\SystemUpdates\SystemUpdates.exe
        
        "SystemUpdates.exe"
        5⤵
        Enumerates VirtualBox DLL files
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5592
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:5284
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\SystemUpdates\""
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4292
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell (Get-CimInstance Win32_ComputerSystemProduct).UUID
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5220
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "FIXED FINALLY.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5008

C:\Users\Admin\Downloads\Koros Gorilla Tag\Koros Gorilla Tag\FIXED FINALLY.exe
"C:\Users\Admin\Downloads\Koros Gorilla Tag\Koros Gorilla Tag\FIXED FINALLY.exe"
1⤵
PID:4256
- C:\Users\Admin\Downloads\Koros Gorilla Tag\Koros Gorilla Tag\FIXED FINALLY.exe
  "C:\Users\Admin\Downloads\Koros Gorilla Tag\Koros Gorilla Tag\FIXED FINALLY.exe"
  2⤵
  - Enumerates VirtualBox DLL files
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:32
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4412

C:\Users\Admin\Downloads\Koros Gorilla Tag\Koros Gorilla Tag\KorosGT.exe
"C:\Users\Admin\Downloads\Koros Gorilla Tag\Koros Gorilla Tag\KorosGT.exe"
1⤵
PID:5700

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39da855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:6948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

File and Directory Discovery

T1083

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
825fb95a70bf7b56cfcda1f118800f98

SHA1
15f1e212c1fb567c70ff4f716a4bba81f2857e0a

SHA256
2280c42f8ca4302a1d37d63532e3e981e33b596e3b2e930ce40b390dc0f09104

SHA512
987189b84f58e5d64b662f80f47ae797bcf46aeba86584cc17afabd2f25885a4cf48d80400154ba22eeee1131b84f882cd1998d1686ee12013218f52049bc6d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e45a14e89fdf82756edc65c97e606e63

SHA1
42ce594393a4ce3b4e1c79dbe424841bd3f434c8

SHA256
49af9d716c69fb93ebee18e708f4ceaab99abf505abcbad1bd46c60ace03da9f

SHA512
6af0cabb253026d7613065e7274f8be114fc2cbd0134e8d518a417bf4b2b94ffc8b9c05be4e47685ac6d7246e28c11a86852ee4b6e934bf6c6d56b6c97428425

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002f

Filesize
17KB

MD5
950eca48e414acbe2c3b5d046dcb8521

SHA1
1731f264e979f18cdf08c405c7b7d32789a6fb59

SHA256
c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2

SHA512
27e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
3186c42e3c71e304400529845b9651f7

SHA1
a89d1a74f7ea9755a67b7141ad3943f704520e8f

SHA256
c9033c57d8b39277a939b820357461bfa76ceb45d917b4f9b8b9147311d74ef8

SHA512
37179d078c96eb5491cac4d67a2faa28d5ee98926ee0e658eb9db8918f5f98be1bca38892a0edd0f352f913b208a0dd3a9ad72aa03dedae3d23eb919509f57ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
257B

MD5
cb2c370608ed5735aec0094cbed1ddbb

SHA1
8b9da953294d7078e9636c4a122d4c98651bfc17

SHA256
01fc00c66b187f3bcf3aa0ab676274ae4629fe537f3e0a50c9c1528e0849d5b6

SHA512
87fc267886df91e9602f890fc931ed971f6892106bcc67774c5869f124755389f6016945d099a9966c08a93a1c1110f5d93242efff93a55de02cde39854ac9cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7ae475b47180e72290dcffaa2f571517

SHA1
266d65740cb6900d0841f0a56d7759406a3b317c

SHA256
e0f75f40baf4a097722a396310ceaf089492f38057c1bc8fc7277971f350801e

SHA512
b0b6b2a092f7438cd458d42e21d44e5268c626062fa386cb3220a95bc00b053c543c35beb802bdb74537283649150cf72301468beb0eb881bf4647b074eee7d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1fdb5a73fdb4fdb4ae48b919f40fe560

SHA1
b153b8c68fa1fbf43870dd8b234393299e75cd4f

SHA256
3824afccb53f6594da97bb86518eba65e41994a9f34f3815a4eb2b1be07a86b4

SHA512
368bdf61a23b0c43a430536665a4d58507f1bd3689437dba94dd0a28cbdb0a2629b1c54264f55a9fa806a723db3203045860f1c1960a076b0f412bcebe691ef3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f17d370333ac5d640e5b4269a840a5eb

SHA1
5985b07f4df8d84ab910f31cb52d2e922b4ff50f

SHA256
fec157e1f9c23838451936c65ef0ba4e3b80b1eda33417a69699737b153c998d

SHA512
c930845527afb74a313efbbb0a82a636d54023244e0bc69f7dfc609241ca0099bbac05b33e1bcd0f2f6db4ff820a0ed9e4906a46d5d3eed0070c7b68eb682aff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
e2388959c1b22b3d47aaec7c28c3de86

SHA1
ef8c7ac95acd3f218ad70e6ee4201c50a16e6b1b

SHA256
ef23506fa71fe07c06b7cc3c1b5ae23ebab3295bad93e831cf321febebe71735

SHA512
a0e894f3dad3c0d040cfa2aa3f2a1d5279b97a9d7a70da6ca40bd1717a06552dc2a6e89ec2a296d911f4f36d59da289890789b9bb30a045dc664329d4f1e800e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5801c0.TMP

Filesize
48B

MD5
4d9ad9c5c11ad9fcd047db95a4f0e68e

SHA1
d2d162a45d0e95f2b45b1b668dbbdd4b5dfc4b1b

SHA256
456eab6e588fe5c8e3a00c505d1aa4fd1e6276d518d3350eb1982ce365857cb9

SHA512
86eb85359f4ec0febb18739fc4ec328b9ce5b84e02033d37069a5f6fdc208938181c65dd1821196e9db41b3807668084a414db9e1e77b99c117c417fa642189d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a54f57aec8279fd393feab46c1d45250

SHA1
56de1617ebf103b6da65a924d631b795eb610140

SHA256
2892c501a53eb01820838b58e31025a785a79dc425448ff4bdcac6847e1f3dc7

SHA512
e15d7900067f791f5be2dcf381386719a70d34c16c644acf1e2320e84f202958c596390f63847d85f7aceeb700606de8a0b055dcbe02be204003dc87683eb949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
34dd7098ee62732d1d6546cb7acaaa4c

SHA1
7846d015b2f9e4f5fa173316502c49bcac9101e6

SHA256
255670ac24329a9bde2e8d71dfb658e9d3134c319e15bb3c4c946762f545c6f1

SHA512
e7b23006275181ea8c3e0f0b28770c776c32d545114f084c39c6d03b1a97bad8686d0d0c2e29b2c11113e38f00c1a2bd67bcb218100f76c958150d017ed4a3af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c5c5dc9f16069721289b04c56b62bc24

SHA1
7b788027becd8a58c3beb0c510abc82324f48948

SHA256
b7f94ca181de332e97c23a06a60bbad7e5de4576879f22b0a897f5d304de22f2

SHA512
e8c15c7041942d2e41dd97b92592adbe428d3aab3ea907495890c526ee495b534d1eeef8f69e4c28785e9008f54e54457292af4606977d457425d371cbea45c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\cryptography-44.0.2.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\_bz2.pyd

Filesize
48KB

MD5
b1197cbb61a144d40a142794794bd087

SHA1
40b3a4f1e92f4757fa8934fcfa9af8b2fc0ed419

SHA256
f5a753fd08c3282945e42c33d8a98a19b9a6e836d0539982b8687519a39a1ee4

SHA512
2f2d1450bf76ba18b5d6ad7914032e1d2aa0a046e2f4f452010ee17d55c12f461c51820f8a6fb0cab2f868081a5531825f95909fea040020bceb621f4daf61e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\_ctypes.pyd

Filesize
58KB

MD5
c687c554a505abcdf2d4b4a8d1aa9884

SHA1
b526045c347423e301e37576eb1e7f98619a70d9

SHA256
335a36fd21131736d36d8d8d947ab581b62da9ecb9c826a17b105bc9809ff0e6

SHA512
23a31a3238fe64fde854a484360874bfe3962654262b54e6bfae61fcb88913755c6b6af5c62ffe8d006d9f87c971d143b085e407d261853e62963ee1ec356d7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\_lzma.pyd

Filesize
86KB

MD5
b0f3f0c44c3b21f41b3c230e82a0863c

SHA1
043304430233d7ed86a4b0a2aa39295e09f68abc

SHA256
e87e765d0e93f3316a0ec077c2ddfc8a0052a8dbc052243cf8024b72dc48aba3

SHA512
851838d4a27dd6ab64c1a8316affc8e937590635e1b1fdd5946231264e3f3804404153d79cc3b9406a575a85b97380ace72c61a806d4e5fd2fce8c222235632e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-console-l1-1-0.dll

Filesize
41KB

MD5
e075b4fd5bdc7ba20f82e9efa5d29044

SHA1
de2f2473dcb6eb1ef6ceac38f4bc3ccbcc05bd93

SHA256
ab7bff07ced56ab79895f7749f5dba20be8dbc8370b373d9b98178df99b91854

SHA512
db1faf7c8358946fbc8f674daa8749d245a5a417137fce6b662c066d69358f81ce153b13916315bab630955392c1db59549e0d354e24025b3edbc4017cf4917a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-datetime-l1-1-0.dll

Filesize
41KB

MD5
dcae341ba54f008862b979808fa03076

SHA1
4ecc159fa89b9b47307904605f1cfc25dbf39449

SHA256
24eff95e03e5f29590d5aba746171ad61f3e70a85ed2b1d7db22ba21dc418e10

SHA512
60ec9916c96ab01cc3c49e31f1927599dd83aa1252a420dc2c338ebbcdafcbab84a6660bfe547f27a61148e1452728f81d690b3a312da2e5c93faefb1e722c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-debug-l1-1-0.dll

Filesize
41KB

MD5
40877b3395dd815c524062b6e1360755

SHA1
20412dfddc733ed40bd946214c939c7f15129f63

SHA256
b6d1b07f5722c566c6e97e30012dfa5ea7e2307468ba5a466eef6d6f0051bf47

SHA512
2dfb97f7cbce33ce0b6811356e92111fb6cc960a84303432203cff00c9f89d67ac9a8ee62575469e5cf6ba62183f3da04740c886d5d597cc2ed6029a3b08c8f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
41KB

MD5
9479e132c5f8b5563a7d0ae59a8e0a81

SHA1
0ab1e7d911da1361b2c8d17c463821b6a38d7acd

SHA256
1bd5dc0be96e4061b7dc5136e697637afede0395de19ef96ff0edbfea83a2ffc

SHA512
defbd3b214a822ffc84559960169e245508a4ca73c2946b63c9016b58a69eb6ca44c8f5b9b214b831ee13a49b61c08c581e71838cacbaa17eb17cc86ca93bc97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-fibers-l1-1-0.dll

Filesize
41KB

MD5
386f95b018f74b93e163f9c7bac0297e

SHA1
c6007d1c42e371e5f3841f5faf2d3b249fe93f54

SHA256
814ea0556a2b1a70609f3a2e9cb91640ee5c815e81e16069381204281fd7366f

SHA512
e28281bbf8114e630e91fc4a28bee5e31179f4e21b323e180341d28cbec9b8918d0b7f83a0ce27c4fdc33016eed986f70397293c781ab3ee07bed9113b4e9bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-fibers-l1-1-1.dll

Filesize
41KB

MD5
09002b406d84a6ddff0d0b2d9f0dcb31

SHA1
35475ca34c0aa2fc525bc398a79fcccf7ab0b3fb

SHA256
bc205e226a0a6f889f8fb757578f13683e5a5342b806e2c410cfac1977fc1d67

SHA512
3053341d03429e733fdd0c9f2309609b24116c95e25a737b68277bb30079834379d3accf96c99d4a399b69b15c8f4fe4977d383224af4d1a0505711092d91428

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-file-l1-1-0.dll

Filesize
45KB

MD5
2e6110e93b94d1605062b404627aae8b

SHA1
074a88d51c241211f686a190ebd590fa0f30e186

SHA256
f5c798ab351fe7b2610bab23d5dd3a69672bfe9ffe86214d373bb69cd81e94c7

SHA512
f7f0a1d275f28cd5e7bd9960058152deb4f571e2d88dda5bab33cd9d350b71cc30476d4b5eb15ea71a67520b459bef8b954c7da845a7717c334e27ca0bc64087

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-file-l1-2-0.dll

Filesize
41KB

MD5
d23be93c9ddd944aac50c7bdcece08ec

SHA1
13b8c82b775c0ebad2f28371e89e51c5245284e2

SHA256
178094a7c8a521075d18bd3ad4e2cbe7e759f48286939a83139ae3c20d274a8e

SHA512
f78f6669b60801f8cd8945a6a3e0092bd1f4a73a69073e67238d73eab41b4e5669bd96ec48efbcc15e908dcfb3eb9673297c2f07d615a1055047e5074b96e2f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-file-l2-1-0.dll

Filesize
41KB

MD5
0f474261a44f9feac537227f89a5fe3a

SHA1
147f1ad2a8a5211cfb2268957da6237260592314

SHA256
4e24def004f4bcc0e7be38695a2928e2d0d0b6f257bf35b23a3528938cd33b37

SHA512
6ff116a0a81371638b4b3c76e2c3cc6b7a7f16781e6b23aa6d01b55a49a5e574c795bf4586f72ac90991de47123707250f9b23d10e643100022edb5c70ad0175

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-handle-l1-1-0.dll

Filesize
41KB

MD5
f5042fda696e7c40b69b5ee20469a028

SHA1
27b5f9fe3f6065fb58df7895cb748833e0444cd5

SHA256
720fde4a03d6927560b2c3a90a89206a40e6bbb09a19ca93a6ebbadc3072d9ad

SHA512
d676bba419b1fbf9b6b74aa712df2e1521a7b0560a117901c594c3f45af5a69f40a354dbd8c73b2c0f1e4f07746dcf95726737d5ee6c34817f8ee702253790fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-heap-l1-1-0.dll

Filesize
41KB

MD5
f1e7a7975e3f947fd84e5dc94d191327

SHA1
e21ecef619ef09aa9c477127f395c65b315d2512

SHA256
829fa82a292ecfab5fd14251e038d14a300dc877a102d14051367fd1d5711f9f

SHA512
1fe5568b25d3dcc7f2f15ee6237cc3ce398b9c54bc1a80388597dd809160a94f1b07803488648f9534f77187aeaf8f9c69549ce4ffe88eedb92af937fe172c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
41KB

MD5
c3910766ca378d8dee6f0d5553946ec4

SHA1
478d49780ad91b31c8a8815aae0a48b0aa15bcfa

SHA256
357b1f2c14afa7c67bfde9793f6f9b02e8cde03daaa0433884a17120d2a12635

SHA512
2e1f61e69a80191605b2f36a08a9d65a687bdaae3a163beffe95baac30ecd80ed39f0c39170df8111d053e10b2ca5a747921b412704959d457feff8b540d4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-kernel32-legacy-l1-1-1.dll

Filesize
41KB

MD5
11a031a60feac7dae1139cdc1579bd83

SHA1
e275da4f2e834374da783be357526301241aa766

SHA256
fc31f185c222e9ecddee598d0d2c42ae98c826a9b17b6397942515c1a1971e3d

SHA512
5d970a2ed0220cba914d7de87ed59280e428846329ba1c0d37dafc2746a2d50b2ca5fa3ce4de9899718b55790268e2a48a1f0ef37860d4cf896f1619f50c46e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
41KB

MD5
6d1904f3a7628034ee2c5ac5fe31a246

SHA1
44417178ac3006fd44a62e955af890296a233841

SHA256
d9996b423f90300de089235a928a3a4fbfe8a012763b319b17bb115eb6d20987

SHA512
0016d822c113f5f3978127535bbf0a5402b49b12b989ebf1e73a32f7ea2da73454df22d11b12d8056d89edb1bfd91eb232e89d633ac8d258b58f5216375754d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-localization-l1-2-0.dll

Filesize
41KB

MD5
90bbf3609ae15ef50aad56e23764cc1c

SHA1
148a7bca26fec27a6ba9bf2a4c5caba2ca3863b9

SHA256
d457bbad02b56f740b48f0cb83e9de57b4d688eee48067f1d8f79f4fd8980213

SHA512
282de53e603a6ce08a798dfa713393b99eb71803dd5f6f1413719082342a5851e6bbd11be05a94ca4496f5ddedf20c55d9ede541eca3178c9d3dca39408c1a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-memory-l1-1-0.dll

Filesize
41KB

MD5
b46cc48e530139984a5f2a7f74ffc5f2

SHA1
98c3c3c06d9ccffa2b3ad3b399455bf5f81fdd94

SHA256
8eaf6389525c8a475401d82c35cdb0a5ab5700aae21624cdfe22d9aa25528ea2

SHA512
0b64544b0cf474d0324560162172b8c9d00ee454488ac1548ff314dc04c90ec73b0887262c3f8aabde975b12c790a16f381adc7dd5a5ed51144e9cdb9f55bf99

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
41KB

MD5
636623ca4481658f5394c0f9211c73be

SHA1
a07975265b2305e2583dc5961e44706ff3b05fc5

SHA256
efb3960069f1f78aaa58e7ece3e998dae51a81d0112050ba501d5370bb72d52f

SHA512
46b160f3064e8449748fcd23ccaec98545647929465ff8a9a185f867fbf6130b5aa9d434ecd89e6a3f53e6c5dc931e0ca3b4ceb1d761dff316db82d365d21e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
41KB

MD5
813b5fa697e1b4d4ca616385f0b1e4da

SHA1
46f4f0b16a7130e74aaa4e1b29493224b68874cd

SHA256
e628af22f908775dcbb3e288af35772f440114eb633c7e284886d1534451ada7

SHA512
c8c96509e47141d7e5aadcfc9280312d2a19d60caee986c5cc6fe93aea3b28b68740c42f82cd99d2a3d533505a4aa7dd92ebd68a602f8b80c682a50875840368

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
41KB

MD5
7756e92b549f58e7a82f2aaf6c5b6b91

SHA1
302d3b539a9983b45253181fd79941c7ac401a3a

SHA256
078efbca600fdcda13bd591b1cc5b30e9b5173a4f665298d7acc9ce17e0e6edf

SHA512
1fdaca889f8a7e9f9116bc8a1391cc90fe3b235d4afbc9fe2d3cdc7367603f160f5b42526a44ec5b62bfb2b161b1eae83d71f449875c1644b106d41f6a6eb028

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
41KB

MD5
1e53a7a01e9ad8932be69928e79c15f9

SHA1
1867d7f8c5168c7b9486e7e900776ddda3eac963

SHA256
800805d6d1364f0d5abecd7812002bf7099a74bb2fab0552704f79e16a0c4ba7

SHA512
4af90c68614175d6088b134a47f5616459ea5350a2fb2ad51c1aed2ea355085375930a04dc11debc9a7ad90e84311faa396d8f4abc285ab68c504b3bc3ac064f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-profile-l1-1-0.dll

Filesize
41KB

MD5
2c34364ee201792be89d3305f2907025

SHA1
3b82f7c0ce753dfac27070dc578f3c0f4bd5b6a9

SHA256
2b2156740cd7adfee5c40a1c70dcd1c9b929daf383a1f522e99fbb61ed1ca911

SHA512
e945b6b05154b53dc8244abe2ab43c45c62c9b34c0d3885c3b92aebcc214654f6cd3a10adb061d3708ee7d56b58550a4bd956e21efefc1554afaa1d5449191f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
41KB

MD5
278e4821eb15686d28ef7d5843e1f123

SHA1
6a05eeb3a99cd7cbb8315029be0da0cb68a5b185

SHA256
b3a1816118c2b1a112d1f11fb6b700c556cac72bdd7c0128dabb7549121cefc8

SHA512
1b075c17614c42ea2cdcbdc51c163e49d33220d0681330ed9b1d2167fecdc9097d0cda275a2eb1931f39672279ba295177f83a4513993c1f9c0ccb106d697a74

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-string-l1-1-0.dll

Filesize
41KB

MD5
f1d3fca8200f0d34d5713f60d36fddab

SHA1
9515a3580ab224cd4bde1a5dbdb8fd8000bf8bdb

SHA256
2eea31f7d35b15d20b91d0244321cb96787cba03ba4664be95de7ae9d2061e06

SHA512
1dd5db7cebadafd0888914bfbc1f79f843d5d13b13e1c1d684c3524106dd258be535972f7b12c2170fdffd52daa8c52b05401798bf48ad29484f7ec65649f219

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-synch-l1-1-0.dll

Filesize
41KB

MD5
94d407aa7b6161d79062dfdfb2fbb9f5

SHA1
fba2b45845c0dd151d3465d3991e934762a49111

SHA256
2540dd9ffc2aa3500bd3115902bd99da2a3ec5121b36abca1173e0069b7c2d27

SHA512
fd01ad8ba86e9684460fc5c13e47a53e7114f79db06f34ea23d1f4522ac8e4397847c267353c2919710991166fbf12d268bfa1b4293da9b4190700ae98b8c1d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-synch-l1-2-0.dll

Filesize
41KB

MD5
618e3efb088a1d755518dc25281f6c5e

SHA1
8e4c25d1f1ef2697f1fa0cab052884183db770da

SHA256
403d9ba03e27d6388d78c1cb4ca38842c69cb127558f84a11cd401995996c2c8

SHA512
924d712ded9ff0b38be813571eecd8b6fd70d6c9b3e87965cafa51ca4821c092d908eba6a3c56cefcbaf58068ca90b9ae225a2a16b9344cca244f94eb25ee838

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
41KB

MD5
fb01945169ef765223c23b2aa80bc2f8

SHA1
0d1c9fc5d01e3ca04400e33688e1d411d55abb70

SHA256
30bc178b833d511d64c46833b5be8d9429732cfb8c4e03535840b41512858185

SHA512
854bfd8433066e6e4aacc0d0cac1c114318060bce2be7b448eb0be035e00387154884cea689288d041c4df54b682ee65e11df0ca4c360913eb613866f5943b20

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-sysinfo-l1-2-0.dll

Filesize
41KB

MD5
23c5a54c7f22afc248da7bdf14a6e92f

SHA1
6dc06a250f598030edb9ab60c3783c600c62eab6

SHA256
82ee35a4e604337c39c089a7eb5123b0c1d214f74433c53b2b7d09e4e19b4543

SHA512
44cdeeceaf75dfa1606c92f332d6b15445d3437ec0c03e00facfc54e0972d77be2bd63d9cf8c6e43de695665dea95e12e8637d20b6d2405d928c1c52becbe2ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\api-ms-win-core-timezone-l1-1-0.dll

Filesize
41KB

MD5
67d21d1992ee3a3940a06531dca39cc4

SHA1
61ca92d347afe14fa082e91d76dcb9d190787c86

SHA256
b612f2c522dbf3d920f4d3c6ad6769e02480b62e06ae9d04e4a58b920a8dcb6f

SHA512
079dfa4f9e796653d04d62d4fbe137d2e16936d207aceba7fb41e9736d26c574fd9e6e544c1c4c2099ea4850a51fc8a37a5ad88b44de00fe32bf2a70f71a02a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\base_library.zip

Filesize
1.4MB

MD5
584fa6f82fb3a17fda63e8cc3169bcb8

SHA1
45fb683cdc081ec18faed4ba077894ad970cf35c

SHA256
81ccea6c0a298f261b0b56bbf7cbd2e7f0ba5ff8382076acef5ce432231bb1bf

SHA512
9375cdb6706f65fd7d20e134608136b071445f54d95b2908d5dbda267c62449a94a0c647699996d8789ea93afdd644899bcefe53ce6851ea2ba87eef9b66c7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\libffi-8.dll

Filesize
29KB

MD5
0d1c6b92d091cef3142e32ac4e0cc12e

SHA1
440dad5af38035cb0984a973e1f266deff2bd7fc

SHA256
11ee9c7fb70c3756c0392843245935517171b95cc5ba0d696b2c1742c8d46fb6

SHA512
5d514ecab93941e83c008f0e9749f99e330949580884bf4850b11cac08fe1ac4ac50033e8888045fe4a9d8b4d2e3ea667b39be18f77266d00f8d7d6797260233

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\python3.dll

Filesize
65KB

MD5
7e07c63636a01df77cd31cfca9a5c745

SHA1
593765bc1729fdca66dd45bbb6ea9fcd882f42a6

SHA256
db84bc052cfb121fe4db36242ba5f1d2c031b600ef5d8d752cf25b7c02b6bac6

SHA512
8c538625be972481c495c7271398993cfe188e2f0a71d38fb51eb18b62467205fe3944def156d0ff09a145670af375d2fc974c6b18313fa275ce6b420decc729

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\python311.dll

Filesize
1.6MB

MD5
0d96f5dfd2dd0f495cad36148493c761

SHA1
928107e88bbee02563594374cd6c6ad19091fe14

SHA256
a238f7fb0043c4b64f76095c1ef950544bb1d0debd0902ea0fa3e8d99e5d4a47

SHA512
693c28c64e974ca1fb754357788a65b3a0271e63395963bb92691a5838e1b665af7aada6be5c5ada8339100eedd64c40ca0556601bec26a0f9e483ea98ab2d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\ucrtbase.dll

Filesize
1.3MB

MD5
57286bc307eff733b6b59cb6274eadd9

SHA1
82d6035e8f15dbf07736ae99db35e7cb9b9dfefe

SHA256
cf3b200f14aa17d442056aedefeaaef0b8e4e6f8893f87877ec56886e2013f60

SHA512
4db5935986420f5a81e8d7d90eb59f47d346809dfdab5b907eb97bc935fefd5cc77fb67427768055b682d24bf0c073c9faa515ed8809eab8f9eeec4e46107ba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42562\SDL2.dll

Filesize
635KB

MD5
ec3c1d17b379968a4890be9eaab73548

SHA1
7dbc6acee3b9860b46c0290a9b94a344d1927578

SHA256
aaa11e97c3621ed680ff2388b91acb394173b96a6e8ffbf3b656079cd00a0b9f

SHA512
06a7880ec80174b48156acd6614ab42fb4422cd89c62d11a7723a3c872f213bfc6c1006df8bdc918bb79009943d2b65c6a5c5e89ad824d1a940ddd41b88a1edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42562\SDL2_image.dll

Filesize
58KB

MD5
25e2a737dcda9b99666da75e945227ea

SHA1
d38e086a6a0bacbce095db79411c50739f3acea4

SHA256
22b27380d4f1f217f0e5d5c767e5c244256386cd9d87f8ddf303baaf9239fc4c

SHA512
63de988387047c17fd028a894465286fd8f6f8bd3a1321b104c0ceb5473e3e0b923153b4999143efbdd28684329a33a5b468e43f25214037f6cddd4d1884adb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42562\SDL2_mixer.dll

Filesize
124KB

MD5
b7b45f61e3bb00ccd4ca92b2a003e3a3

SHA1
5018a7c95dc6d01ba6e3a7e77dd26c2c74fd69bc

SHA256
1327f84e3509f3ccefeef1c12578faf04e9921c145233687710253bf903ba095

SHA512
d3449019824124f3edbda57b3b578713e9c9915e173d31566cd8e4d18f307ac0f710250fe6a906dd53e748db14bfa76ec1b58a6aef7d074c913679a47c5fdbe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42562\SDL2_ttf.dll

Filesize
601KB

MD5
eb0ce62f775f8bd6209bde245a8d0b93

SHA1
5a5d039e0c2a9d763bb65082e09f64c8f3696a71

SHA256
74591aab94bb87fc9a2c45264930439bbc0d1525bf2571025cd9804e5a1cd11a

SHA512
34993240f14a89179ac95c461353b102ea74e4180f52c206250bb42c4c8427a019ea804b09a6903674ac00ab2a3c4c686a86334e483110e79733696aa17f4eb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42562\_tcl_data\encoding\euc-cn.enc

Filesize
84KB

MD5
c5aa0d11439e0f7682dae39445f5dab4

SHA1
73a6d55b894e89a7d4cb1cd3ccff82665c303d5c

SHA256
1700af47dc012a48cec89cf1dfae6d1d0d2f40ed731eff6ca55296a055a11c00

SHA512
eee6058bd214c59bcc11e6de7265da2721c119cc9261cfd755a98e270ff74d2d73e3e711aa01a0e3414c46d82e291ef0df2ad6c65ca477c888426d5a1d2a3bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42562\freetype.dll

Filesize
292KB

MD5
04a9825dc286549ee3fa29e2b06ca944

SHA1
5bed779bf591752bb7aa9428189ec7f3c1137461

SHA256
50249f68b4faf85e7cd8d1220b7626a86bc507af9ae400d08c8e365f9ab97cde

SHA512
0e937e4de6cbc9d40035b94c289c2798c77c44fc1dc7097201f9fab97c7ff9e56113c06c51693f09908283eda92945b36de67351f893d4e3162e67c078cff4ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42562\libjpeg-9.dll

Filesize
108KB

MD5
c22b781bb21bffbea478b76ad6ed1a28

SHA1
66cc6495ba5e531b0fe22731875250c720262db1

SHA256
1eed2385030348c84bbdb75d41d64891be910c27fab8d20fc9e85485fcb569dd

SHA512
9b42cad4a715680a27cd79f466fd2913649b80657ff042528cba2946631387ed9fb027014d215e1baf05839509ca5915d533b91aa958ae0525dea6e2a869b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42562\libogg-0.dll

Filesize
16KB

MD5
0d65168162287df89af79bb9be79f65b

SHA1
3e5af700b8c3e1a558105284ecd21b73b765a6dc

SHA256
2ec2322aec756b795c2e614dab467ef02c3d67d527ad117f905b3ab0968ccf24

SHA512
69af81fd2293c31f456b3c78588bb6a372fe4a449244d74bfe5bfaa3134a0709a685725fa05055cfd261c51a96df4b7ebd8b9e143f0e9312c374e54392f8a2c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42562\libopus-0.dll

Filesize
181KB

MD5
3fb9d9e8daa2326aad43a5fc5ddab689

SHA1
55523c665414233863356d14452146a760747165

SHA256
fd8de9169ccf53c5968eec0c90e9ff3a66fb451a5bf063868f3e82007106b491

SHA512
f263ea6e0fab84a65fe3a9b6c0fe860919eee828c84b888a5aa52dea540434248d1e810a883a2aff273cd9f22c607db966dd8776e965be6d2cfe1b50a1af1f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42562\libpng16-16.dll

Filesize
98KB

MD5
55009dd953f500022c102cfb3f6a8a6c

SHA1
07af9f4d456ddf86a51da1e4e4c5b54b0cf06ddb

SHA256
20391787cba331cfbe32fbf22f328a0fd48924e944e80de20ba32886bf4b6fd2

SHA512
4423d3ec8fef29782f3d4a21feeac9ba24c9c765d770b2920d47b4fb847a96ff5c793b20373833b4ff8bc3d8fa422159c64beffb78ce5768ed22742740a8c6c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42562\pygame\zlib1.dll

Filesize
52KB

MD5
ee06185c239216ad4c70f74e7c011aa6

SHA1
40e66b92ff38c9b1216511d5b1119fe9da6c2703

SHA256
0391066f3e6385a9c0fe7218c38f7bd0b3e0da0f15a98ebb07f1ac38d6175466

SHA512
baae562a53d491e19dbf7ee2cff4c13d42de6833036bfdaed9ed441bcbf004b68e4088bd453b7413d60faaf1b334aee71241ba468437d49050b8ccfa9232425d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5zrmjqnh.p1k.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Koros Gorilla Tag.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/3200-393-0x00000000006B0000-0x00000000006C0000-memory.dmp

Filesize
64KB

Download
memory/5500-1801-0x00007FF9440C0000-0x00007FF9440D1000-memory.dmp

Filesize
68KB

Download
memory/5500-1842-0x00007FF93CE50000-0x00007FF93CE7B000-memory.dmp

Filesize
172KB

Download
memory/5500-1765-0x00007FF93D330000-0x00007FF93D44C000-memory.dmp

Filesize
1.1MB

Download
memory/5500-1764-0x00007FF954FE0000-0x00007FF954FF9000-memory.dmp

Filesize
100KB

Download
memory/5500-1762-0x00007FF959810000-0x00007FF95981B000-memory.dmp

Filesize
44KB

Download
memory/5500-1766-0x00007FF954D00000-0x00007FF954D37000-memory.dmp

Filesize
220KB

Download
memory/5500-1768-0x00007FF955DF0000-0x00007FF955DFB000-memory.dmp

Filesize
44KB

Download
memory/5500-1767-0x00007FF954ED0000-0x00007FF954EE4000-memory.dmp

Filesize
80KB

Download
memory/5500-1784-0x00007FF9549C0000-0x00007FF9549CB000-memory.dmp

Filesize
44KB

Download
memory/5500-1783-0x00007FF958AB0000-0x00007FF958AD7000-memory.dmp

Filesize
156KB

Download
memory/5500-1782-0x00007FF954C40000-0x00007FF954C4C000-memory.dmp

Filesize
48KB

Download
memory/5500-1781-0x00007FF954C50000-0x00007FF954C5E000-memory.dmp

Filesize
56KB

Download
memory/5500-1780-0x00007FF95E940000-0x00007FF95E94D000-memory.dmp

Filesize
52KB

Download
memory/5500-1779-0x00007FF954C60000-0x00007FF954C6D000-memory.dmp

Filesize
52KB

Download
memory/5500-1778-0x00007FF954D40000-0x00007FF954D73000-memory.dmp

Filesize
204KB

Download
memory/5500-1777-0x00007FF93D450000-0x00007FF93D51D000-memory.dmp

Filesize
820KB

Download
memory/5500-1776-0x00007FF954E00000-0x00007FF954E0C000-memory.dmp

Filesize
48KB

Download
memory/5500-1775-0x00007FF95E960000-0x00007FF95E979000-memory.dmp

Filesize
100KB

Download
memory/5500-1774-0x00007FF955C20000-0x00007FF955C2C000-memory.dmp

Filesize
48KB

Download
memory/5500-1773-0x00007FF954E10000-0x00007FF954E1B000-memory.dmp

Filesize
44KB

Download
memory/5500-1772-0x00007FF954F60000-0x00007FF954F6C000-memory.dmp

Filesize
48KB

Download
memory/5500-1771-0x00007FF954FD0000-0x00007FF954FDB000-memory.dmp

Filesize
44KB

Download
memory/5500-1770-0x00007FF955CB0000-0x00007FF955CBB000-memory.dmp

Filesize
44KB

Download
memory/5500-1769-0x00007FF93D520000-0x00007FF93DA49000-memory.dmp

Filesize
5.2MB

Download
memory/5500-1785-0x00007FF9549B0000-0x00007FF9549BB000-memory.dmp

Filesize
44KB

Download
memory/5500-1792-0x00007FF954D00000-0x00007FF954D37000-memory.dmp

Filesize
220KB

Download
memory/5500-1791-0x00007FF950AB0000-0x00007FF950ABD000-memory.dmp

Filesize
52KB

Download
memory/5500-1790-0x00007FF950AA0000-0x00007FF950AAC000-memory.dmp

Filesize
48KB

Download
memory/5500-1789-0x00007FF949E70000-0x00007FF949E82000-memory.dmp

Filesize
72KB

Download
memory/5500-1788-0x00007FF951580000-0x00007FF95158B000-memory.dmp

Filesize
44KB

Download
memory/5500-1787-0x00007FF951590000-0x00007FF95159C000-memory.dmp

Filesize
48KB

Download
memory/5500-1786-0x00007FF93D330000-0x00007FF93D44C000-memory.dmp

Filesize
1.1MB

Download
memory/5500-1793-0x00007FF944420000-0x00007FF944435000-memory.dmp

Filesize
84KB

Download
memory/5500-1794-0x00007FF944400000-0x00007FF944412000-memory.dmp

Filesize
72KB

Download
memory/5500-1797-0x00007FF944120000-0x00007FF944142000-memory.dmp

Filesize
136KB

Download
memory/5500-1796-0x00007FF954E00000-0x00007FF954E0C000-memory.dmp

Filesize
48KB

Download
memory/5500-1795-0x00007FF944150000-0x00007FF944164000-memory.dmp

Filesize
80KB

Download
memory/5500-1798-0x00007FF944100000-0x00007FF94411B000-memory.dmp

Filesize
108KB

Download
memory/5500-1799-0x00007FF9440E0000-0x00007FF9440F9000-memory.dmp

Filesize
100KB

Download
memory/5500-1800-0x00007FF942190000-0x00007FF9421DD000-memory.dmp

Filesize
308KB

Download
memory/5500-1802-0x00007FF941CD0000-0x00007FF941D02000-memory.dmp

Filesize
200KB

Download
memory/5500-1761-0x00007FF958800000-0x00007FF958824000-memory.dmp

Filesize
144KB

Download
memory/5500-1803-0x00007FF941CB0000-0x00007FF941CCE000-memory.dmp

Filesize
120KB

Download
memory/5500-1805-0x00007FF93D2D0000-0x00007FF93D32D000-memory.dmp

Filesize
372KB

Download
memory/5500-1804-0x00007FF944420000-0x00007FF944435000-memory.dmp

Filesize
84KB

Download
memory/5500-1808-0x00007FF93D270000-0x00007FF93D29E000-memory.dmp

Filesize
184KB

Download
memory/5500-1807-0x00007FF93D2A0000-0x00007FF93D2C9000-memory.dmp

Filesize
164KB

Download
memory/5500-1806-0x00007FF944400000-0x00007FF944412000-memory.dmp

Filesize
72KB

Download
memory/5500-1810-0x00007FF93D240000-0x00007FF93D263000-memory.dmp

Filesize
140KB

Download
memory/5500-1809-0x00007FF944120000-0x00007FF944142000-memory.dmp

Filesize
136KB

Download
memory/5500-1811-0x00007FF944100000-0x00007FF94411B000-memory.dmp

Filesize
108KB

Download
memory/5500-1812-0x00007FF93D0C0000-0x00007FF93D23E000-memory.dmp

Filesize
1.5MB

Download
memory/5500-1813-0x00007FF9440E0000-0x00007FF9440F9000-memory.dmp

Filesize
100KB

Download
memory/5500-1814-0x00007FF941C90000-0x00007FF941CA8000-memory.dmp

Filesize
96KB

Download
memory/5500-1816-0x00007FF9440B0000-0x00007FF9440BB000-memory.dmp

Filesize
44KB

Download
memory/5500-1815-0x00007FF942190000-0x00007FF9421DD000-memory.dmp

Filesize
308KB

Download
memory/5500-1817-0x00007FF943EE0000-0x00007FF943EEB000-memory.dmp

Filesize
44KB

Download
memory/5500-1819-0x00007FF942180000-0x00007FF94218C000-memory.dmp

Filesize
48KB

Download
memory/5500-1818-0x00007FF941CD0000-0x00007FF941D02000-memory.dmp

Filesize
200KB

Download
memory/5500-1822-0x00007FF93D050000-0x00007FF93D05C000-memory.dmp

Filesize
48KB

Download
memory/5500-1821-0x00007FF93D060000-0x00007FF93D06B000-memory.dmp

Filesize
44KB

Download
memory/5500-1820-0x00007FF941CB0000-0x00007FF941CCE000-memory.dmp

Filesize
120KB

Download
memory/5500-1824-0x00007FF93D040000-0x00007FF93D04B000-memory.dmp

Filesize
44KB

Download
memory/5500-1823-0x00007FF93D2A0000-0x00007FF93D2C9000-memory.dmp

Filesize
164KB

Download
memory/5500-1826-0x00007FF93D030000-0x00007FF93D03C000-memory.dmp

Filesize
48KB

Download
memory/5500-1825-0x00007FF93D270000-0x00007FF93D29E000-memory.dmp

Filesize
184KB

Download
memory/5500-1828-0x00007FF93D020000-0x00007FF93D02D000-memory.dmp

Filesize
52KB

Download
memory/5500-1827-0x00007FF93D240000-0x00007FF93D263000-memory.dmp

Filesize
140KB

Download
memory/5500-1829-0x00007FF93D0C0000-0x00007FF93D23E000-memory.dmp

Filesize
1.5MB

Download
memory/5500-1839-0x00007FF941C90000-0x00007FF941CA8000-memory.dmp

Filesize
96KB

Download
memory/5500-1840-0x00007FF93CF40000-0x00007FF93CF76000-memory.dmp

Filesize
216KB

Download
memory/5500-1838-0x00007FF93CFE0000-0x00007FF93CFEB000-memory.dmp

Filesize
44KB

Download
memory/5500-1837-0x00007FF93CF80000-0x00007FF93CF8C000-memory.dmp

Filesize
48KB

Download
memory/5500-1841-0x00007FF93CE80000-0x00007FF93CF3C000-memory.dmp

Filesize
752KB

Download
memory/5500-1836-0x00007FF93CF90000-0x00007FF93CFA2000-memory.dmp

Filesize
72KB

Download
memory/5500-1763-0x00007FF958AB0000-0x00007FF958AD7000-memory.dmp

Filesize
156KB

Download
memory/5500-1835-0x00007FF93CFB0000-0x00007FF93CFBD000-memory.dmp

Filesize
52KB

Download
memory/5500-1834-0x00007FF93CFC0000-0x00007FF93CFCB000-memory.dmp

Filesize
44KB

Download
memory/5500-1833-0x00007FF93CFD0000-0x00007FF93CFDC000-memory.dmp

Filesize
48KB

Download
memory/5500-1832-0x00007FF93CFF0000-0x00007FF93CFFB000-memory.dmp

Filesize
44KB

Download
memory/5500-1831-0x00007FF93D000000-0x00007FF93D00C000-memory.dmp

Filesize
48KB

Download
memory/5500-1830-0x00007FF93D010000-0x00007FF93D01E000-memory.dmp

Filesize
56KB

Download
memory/5500-1760-0x00007FF95E940000-0x00007FF95E94D000-memory.dmp

Filesize
52KB

Download
memory/5500-1902-0x00007FF93D330000-0x00007FF93D44C000-memory.dmp

Filesize
1.1MB

Download
memory/5500-1914-0x00007FF934AF0000-0x00007FF934B65000-memory.dmp

Filesize
468KB

Download
memory/5500-1913-0x00007FF93D240000-0x00007FF93D263000-memory.dmp

Filesize
140KB

Download
memory/5500-1912-0x00007FF941CD0000-0x00007FF941D02000-memory.dmp

Filesize
200KB

Download
memory/5500-1911-0x00007FF9440C0000-0x00007FF9440D1000-memory.dmp

Filesize
68KB

Download
memory/5500-1910-0x00007FF942190000-0x00007FF9421DD000-memory.dmp

Filesize
308KB

Download
memory/5500-1909-0x00007FF9440E0000-0x00007FF9440F9000-memory.dmp

Filesize
100KB

Download
memory/5500-1908-0x00007FF944100000-0x00007FF94411B000-memory.dmp

Filesize
108KB

Download
memory/5500-1907-0x00007FF944120000-0x00007FF944142000-memory.dmp

Filesize
136KB

Download
memory/5500-1906-0x00007FF944150000-0x00007FF944164000-memory.dmp

Filesize
80KB

Download
memory/5500-1905-0x00007FF944400000-0x00007FF944412000-memory.dmp

Filesize
72KB

Download
memory/5500-1904-0x00007FF944420000-0x00007FF944435000-memory.dmp

Filesize
84KB

Download
memory/5500-1903-0x00007FF954D00000-0x00007FF954D37000-memory.dmp

Filesize
220KB

Download
memory/5500-1901-0x00007FF958AB0000-0x00007FF958AD7000-memory.dmp

Filesize
156KB

Download
memory/5500-1900-0x00007FF959810000-0x00007FF95981B000-memory.dmp

Filesize
44KB

Download
memory/5500-1899-0x00007FF95E940000-0x00007FF95E94D000-memory.dmp

Filesize
52KB

Download
memory/5500-1897-0x00007FF954D40000-0x00007FF954D73000-memory.dmp

Filesize
204KB

Download
memory/5500-1888-0x00007FF93DA50000-0x00007FF93E042000-memory.dmp

Filesize
5.9MB

Download
memory/5500-1894-0x00007FF93D520000-0x00007FF93DA49000-memory.dmp

Filesize
5.2MB

Download
memory/5500-1756-0x00007FF95E950000-0x00007FF95E95D000-memory.dmp

Filesize
52KB

Download
memory/5500-1708-0x00007FF93DA50000-0x00007FF93E042000-memory.dmp

Filesize
5.9MB

Download
memory/5500-1721-0x00007FF954FE0000-0x00007FF954FF9000-memory.dmp

Filesize
100KB

Download
memory/5500-1719-0x00007FF95E8B0000-0x00007FF95E8BF000-memory.dmp

Filesize
60KB

Download
memory/5500-1716-0x00007FF958800000-0x00007FF958824000-memory.dmp

Filesize
144KB

Download
memory/5500-1724-0x00007FF954C70000-0x00007FF954C9D000-memory.dmp

Filesize
180KB

Download
memory/5500-1753-0x00007FF954ED0000-0x00007FF954EE4000-memory.dmp

Filesize
80KB

Download
memory/5500-1754-0x00007FF93D520000-0x00007FF93DA49000-memory.dmp

Filesize
5.2MB

Download
memory/5500-1755-0x00007FF95E960000-0x00007FF95E979000-memory.dmp

Filesize
100KB

Download
memory/5500-1759-0x00007FF93DA50000-0x00007FF93E042000-memory.dmp

Filesize
5.9MB

Download
memory/5500-1758-0x00007FF954D40000-0x00007FF954D73000-memory.dmp

Filesize
204KB

Download
memory/5500-1757-0x00007FF93D450000-0x00007FF93D51D000-memory.dmp

Filesize
820KB

Download
memory/5592-3313-0x00007FF955CB0000-0x00007FF955CBB000-memory.dmp

Filesize
44KB

Download
memory/5592-3312-0x00007FF955DF0000-0x00007FF955DFB000-memory.dmp

Filesize
44KB

Download
memory/5592-3329-0x00007FF944420000-0x00007FF944435000-memory.dmp

Filesize
84KB

Download
memory/5592-3328-0x00007FF950AA0000-0x00007FF950AAC000-memory.dmp

Filesize
48KB

Download
memory/5592-3327-0x00007FF949E70000-0x00007FF949E82000-memory.dmp

Filesize
72KB

Download
memory/5592-3311-0x00007FF954C60000-0x00007FF954C97000-memory.dmp

Filesize
220KB

Download
memory/5592-3325-0x00007FF951580000-0x00007FF95158B000-memory.dmp

Filesize
44KB

Download
memory/5592-3324-0x00007FF951590000-0x00007FF95159C000-memory.dmp

Filesize
48KB

Download
memory/5592-3323-0x00007FF9549B0000-0x00007FF9549BB000-memory.dmp

Filesize
44KB

Download
memory/5592-3322-0x00007FF9549C0000-0x00007FF9549CB000-memory.dmp

Filesize
44KB

Download
memory/5592-3321-0x00007FF954C40000-0x00007FF954C4C000-memory.dmp

Filesize
48KB

Download
memory/5592-3320-0x00007FF954C50000-0x00007FF954C5E000-memory.dmp

Filesize
56KB

Download
memory/5592-3319-0x00007FF954D00000-0x00007FF954D0D000-memory.dmp

Filesize
52KB

Download
memory/5592-3318-0x00007FF954E00000-0x00007FF954E0C000-memory.dmp

Filesize
48KB

Download
memory/5592-3317-0x00007FF954E10000-0x00007FF954E1B000-memory.dmp

Filesize
44KB

Download
memory/5592-3316-0x00007FF954F60000-0x00007FF954F6C000-memory.dmp

Filesize
48KB

Download
memory/5592-3315-0x00007FF954FD0000-0x00007FF954FDB000-memory.dmp

Filesize
44KB

Download
memory/5592-3314-0x00007FF955C20000-0x00007FF955C2C000-memory.dmp

Filesize
48KB

Download
memory/5592-3330-0x00007FF944400000-0x00007FF944412000-memory.dmp

Filesize
72KB

Download
memory/5592-3331-0x00007FF944150000-0x00007FF944164000-memory.dmp

Filesize
80KB

Download
memory/5592-3326-0x00007FF950AB0000-0x00007FF950ABD000-memory.dmp

Filesize
52KB

Download
memory/5592-3310-0x00007FF93D330000-0x00007FF93D44C000-memory.dmp

Filesize
1.1MB

Download
memory/5592-3309-0x00007FF954D10000-0x00007FF954D37000-memory.dmp

Filesize
156KB

Download
memory/5592-3308-0x00007FF959810000-0x00007FF95981B000-memory.dmp

Filesize
44KB

Download
memory/5592-3307-0x00007FF95E8B0000-0x00007FF95E8BD000-memory.dmp

Filesize
52KB

Download
memory/5592-3306-0x00007FF93D450000-0x00007FF93D51D000-memory.dmp

Filesize
820KB

Download
memory/5592-3296-0x00007FF93DA50000-0x00007FF93E042000-memory.dmp

Filesize
5.9MB

Download
memory/5592-3297-0x00007FF958AB0000-0x00007FF958AD4000-memory.dmp

Filesize
144KB

Download
memory/5592-3298-0x00007FF95E950000-0x00007FF95E95F000-memory.dmp

Filesize
60KB

Download
memory/5592-3299-0x00007FF95AC00000-0x00007FF95AC19000-memory.dmp

Filesize
100KB

Download
memory/5592-3300-0x00007FF958800000-0x00007FF95882D000-memory.dmp

Filesize
180KB

Download
memory/5592-3301-0x00007FF954FE0000-0x00007FF954FF4000-memory.dmp

Filesize
80KB

Download
memory/5592-3302-0x00007FF93D520000-0x00007FF93DA49000-memory.dmp

Filesize
5.2MB

Download
memory/5592-3303-0x00007FF954ED0000-0x00007FF954EE9000-memory.dmp

Filesize
100KB

Download
memory/5592-3304-0x00007FF95E940000-0x00007FF95E94D000-memory.dmp

Filesize
52KB

Download
memory/5592-3305-0x00007FF954D40000-0x00007FF954D73000-memory.dmp

Filesize
204KB

Download
memory/5592-3332-0x00007FF944120000-0x00007FF944142000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads