stormkitty | hxxps://www[.]mediafire[.]com/download/zndery751x84qdg/Silver_Rat_[FULLCRYPTRES][.]rar

Analysis

max time kernel
735s
max time network
725s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/download/zndery751x84qdg/Silver_Rat_[FULLCRYPTRES].rar

Score

10^/10

stormkitty agilenet discovery stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/5020-609-0x0000000001200000-0x000000000122A000-memory.dmp	family_stormkitty

Executes dropped EXE 2 IoCs

pid	Process
5948	SilverRat.exe
5020	SilverClient.exe

Loads dropped DLL 20 IoCs

pid	Process
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe

Obfuscated with Agile.Net obfuscator 4 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/5948-373-0x0000000006970000-0x00000000069BE000-memory.dmp	agile_net
behavioral1/files/0x000700000002359e-372.dat	agile_net
behavioral1/files/0x000700000002359d-381.dat	agile_net
behavioral1/memory/5948-384-0x0000000008C10000-0x0000000008D5E000-memory.dmp	agile_net

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SilverRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SilverRat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SilverRat.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\TypedURLs	SilverRat.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	SilverRat.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	SilverRat.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	SilverRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	SilverRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	SilverRat.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	SilverRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	SilverRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	SilverRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	SilverRat.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	SilverRat.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	SilverRat.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	SilverRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	SilverRat.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	SilverRat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	SilverRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	SilverRat.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	SilverRat.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	SilverRat.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	SilverRat.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	SilverRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	SilverRat.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	SilverRat.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	SilverRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	SilverRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	SilverRat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	SilverRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	SilverRat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	SilverRat.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	SilverRat.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	SilverRat.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	SilverRat.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4504	msedge.exe
4504	msedge.exe
1320	msedge.exe
1320	msedge.exe
5684	identity_helper.exe
5684	identity_helper.exe
5376	msedge.exe
5376	msedge.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe
5948	SilverRat.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	5224	7zG.exe
Token: 35	5224	7zG.exe
Token: SeSecurityPrivilege	5224	7zG.exe
Token: SeSecurityPrivilege	5224	7zG.exe
Token: SeDebugPrivilege	5948	SilverRat.exe
Token: SeDebugPrivilege	5020	SilverClient.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
5952	OpenWith.exe
5952	OpenWith.exe
5952	OpenWith.exe
5952	OpenWith.exe
5952	OpenWith.exe
5952	OpenWith.exe
5952	OpenWith.exe
5948	SilverRat.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 4260	1320	msedge.exe	85
PID 1320 wrote to memory of 4260	1320	msedge.exe	85
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4804	1320	msedge.exe	86
PID 1320 wrote to memory of 4504	1320	msedge.exe	87
PID 1320 wrote to memory of 4504	1320	msedge.exe	87
PID 1320 wrote to memory of 4100	1320	msedge.exe	88
PID 1320 wrote to memory of 4100	1320	msedge.exe	88
PID 1320 wrote to memory of 4100	1320	msedge.exe	88
PID 1320 wrote to memory of 4100	1320	msedge.exe	88
PID 1320 wrote to memory of 4100	1320	msedge.exe	88
PID 1320 wrote to memory of 4100	1320	msedge.exe	88
PID 1320 wrote to memory of 4100	1320	msedge.exe	88
PID 1320 wrote to memory of 4100	1320	msedge.exe	88
PID 1320 wrote to memory of 4100	1320	msedge.exe	88
PID 1320 wrote to memory of 4100	1320	msedge.exe	88
PID 1320 wrote to memory of 4100	1320	msedge.exe	88
PID 1320 wrote to memory of 4100	1320	msedge.exe	88
PID 1320 wrote to memory of 4100	1320	msedge.exe	88
PID 1320 wrote to memory of 4100	1320	msedge.exe	88
PID 1320 wrote to memory of 4100	1320	msedge.exe	88
PID 1320 wrote to memory of 4100	1320	msedge.exe	88
PID 1320 wrote to memory of 4100	1320	msedge.exe	88
PID 1320 wrote to memory of 4100	1320	msedge.exe	88
PID 1320 wrote to memory of 4100	1320	msedge.exe	88
PID 1320 wrote to memory of 4100	1320	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/download/zndery751x84qdg/Silver_Rat_[FULLCRYPTRES].rar
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff83fde46f8,0x7ff83fde4708,0x7ff83fde4718
  2⤵
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,528869281014353245,7885058731040688422,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,528869281014353245,7885058731040688422,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,528869281014353245,7885058731040688422,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,528869281014353245,7885058731040688422,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,528869281014353245,7885058731040688422,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,528869281014353245,7885058731040688422,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,528869281014353245,7885058731040688422,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,528869281014353245,7885058731040688422,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,528869281014353245,7885058731040688422,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,528869281014353245,7885058731040688422,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,528869281014353245,7885058731040688422,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,528869281014353245,7885058731040688422,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
  2⤵
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,528869281014353245,7885058731040688422,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:5300
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,528869281014353245,7885058731040688422,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6212 /prefetch:8
  2⤵
  PID:5524
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,528869281014353245,7885058731040688422,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6212 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2172,528869281014353245,7885058731040688422,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6536 /prefetch:8
  2⤵
  PID:5692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,528869281014353245,7885058731040688422,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6680 /prefetch:1
  2⤵
  PID:5704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,528869281014353245,7885058731040688422,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6624 /prefetch:1
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,528869281014353245,7885058731040688422,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:5188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,528869281014353245,7885058731040688422,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:1
  2⤵
  PID:5500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,528869281014353245,7885058731040688422,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6852 /prefetch:1
  2⤵
  PID:5508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2172,528869281014353245,7885058731040688422,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6660 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,528869281014353245,7885058731040688422,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4124 /prefetch:2
  2⤵
  PID:6048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4792

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4636

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1468

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5952

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Silver_Rat_[FULLCRYPTRES]\" -spe -an -ai#7zMap22390:112:7zEvent22973
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5224

C:\Users\Admin\Downloads\Silver_Rat_[FULLCRYPTRES]\Silver Rat [FULLCRYPTRES]\SilverRat.exe
"C:\Users\Admin\Downloads\Silver_Rat_[FULLCRYPTRES]\Silver Rat [FULLCRYPTRES]\SilverRat.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\agfeltil\agfeltil.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5956
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:AMD64 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D52.tmp" "c:\Users\Admin\Downloads\Silver_Rat_[FULLCRYPTRES]\Silver Rat [FULLCRYPTRES]\CSCC5A5E2B656A47E0B3129068B827DE1B.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5320

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:944

C:\Users\Admin\Downloads\Silver_Rat_[FULLCRYPTRES]\Silver Rat [FULLCRYPTRES]\SilverClient.exe
"C:\Users\Admin\Downloads\Silver_Rat_[FULLCRYPTRES]\Silver Rat [FULLCRYPTRES]\SilverClient.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4877db58-2dc3-4cda-8206-bc13b8b2e8c6.tmp

Filesize
2KB

MD5
e2f2541fa040865d4a8e0d2f01beb9a2

SHA1
bb3c3e4c0ffe2a97fbe1e0575032861bf3e3ab79

SHA256
9ee83bd4b2bb841c54a4f790a545cc137c6d63df68ec0b400b5e04bb7913871f

SHA512
5dc496058df7f2bef54fbe34cca0be55612441ce3cc3b51b833afa8efbd2189f079e91f6476d1362fce0882e153da7f4b8082ea24455fca0cdef345c17163807

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
d4f08522c0c6ef480c9e88ed6d348b9f

SHA1
53a9dafea681a30ca933afc3db7c61611dbd3526

SHA256
6304cdf9fce6767e8098b270d1a8ff013683f5bbf85dad96526034a959d21fe5

SHA512
d99ac50bc02b3d2a20da205d0815c188844efdf3f190aecce42daa320ff0ca8a94b06750c8f149b7bc1e738bd98b4ddd529dc66313b87b0f7d89727f08a7840b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
d4c34fa0c3e73a9089e5e74bf22f313a

SHA1
75f0e458828aa5e946197ab223ec7c425234659f

SHA256
567b8f41b6be1fb767ea1f38cef47509bd3cf57978ffc3f90db6d6596558d89e

SHA512
41224d453f26451f39adf326b7089e49e78a398b467ad3beaf8d4569836993b735c715c5ec253bb87444377b56efc2d694d50b1949b95ecf94f741740f345642

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
4bfdcaeb6ce09ecf21f6c611c0ba3426

SHA1
32de64d52d92f95c25dd1132277ff2cb26189bc0

SHA256
2256cafd373c123899a0c718ba8dc25f24438d52c28a421ebd87be95348b8e57

SHA512
28516a521e488a1f66b39e4b893998e45dc765771637e3533a342d6acac6cf0a9b2b2e9eb8759243cc2fa2dce7f582572a6b2f1191b935d5039d3b1df410dd89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f965cd77770d28b5406c2dc54aadbc59

SHA1
35ea7715197b262dfd6189f6796856a1e62fe6f6

SHA256
f52d92239d462e34d43c52f83b9f3a45e7c89e87577b91ca05aa704f3f8b0c5e

SHA512
f3eb8193254b219d7169e357cbb7ea3a8fd2f50024c58924adb50ce1a5fae53095ab6dcfd8222174df63990630e097e1de77a734c376f5d4d397b8fdc7bd898e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
627926c1e8a423c0b8cd5f8a71a10388

SHA1
f2747f5b8db4b85e5263071cfa3bf5532a58379c

SHA256
147848f9554d94a479b654664ea424b361176f432dc1f107eb592ae93ee2142d

SHA512
00771cdeef874c4ef9013d07d521daa045af4ed0fd86b413a8b3169969e01f1be402fc7012f52765ae2326bf95ac5a4e1f6cbc2546b8a3cad99dc12784470187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
c7beb9db8e6c83dd91aec7b4802aea50

SHA1
afac9601c40216e451da6df10b48092ea303793e

SHA256
8d6deb7cd4ed71eec547443c39f94f6d5a4f90ebf77e729de7beff881b54a22f

SHA512
a9fe003872c3ac017c8d339ca0fdfa27b8b3c48a7c22d88080395a5bf1c47495315e6216ea1bda8df862f765b07bf461ff0a196d532f5c8f0743497e117aba77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
8455a09bd33cd7197e8dcc998d74f20c

SHA1
9807681fd02561be8467154d4c05fd4117d22b8f

SHA256
92d19aa0d6a987030f133af02464c294f52c153e57821e40c23afcaaad0c2558

SHA512
70a5444ef8d4a1a61fd61381a30fe98e0a61a4110cdeda088a58144b08f78e9363a66a13e51d8d1174891f2cd548366691cf59bc6134e4364b1e42ddeb46d4ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58124b.TMP

Filesize
2KB

MD5
f5cfb318efb7334f47816b144ec6341d

SHA1
7186518bbbaf319cdbd28272e921d1a655d62e0f

SHA256
d157cbae38d3d0fc0f1594d3190e8667a5a600499bb075ad3642b0715bddfe02

SHA512
b2a467df4b6a2c12d51becb729adbf7612881747f11b2e8640360fddb9efbabc8ab44c1f675d0516167f59bca945014d52d666ccf81fe83fd312035b240bfe71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f08d48a62a6ef4085ee8a7c027b645e0

SHA1
bf78c41299e9192a70eaa507fb14e00e64608876

SHA256
4aa3259ee1df8bc4a18b3cbc22000b881922efb029457df3eb51728c94367604

SHA512
fb97e28c51743d93e63e418c7371929d050aab98ef1a20af3d52c29555b1d12a65f35b9158c84662996c37f96cfa2d244adde99bda0071a7ab356684a73c3708

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9d3b4694ebf3c7c315008fd2494ff7f5

SHA1
36a5b56e9d949e8e61ce516cf053b15197cd2e58

SHA256
c567d1e2712d32c2516d009e825130c124d5aeb6f54e18bfd6d6d65f5aedbbc1

SHA512
95f990f79d83dd3a611c0a8ab0f7143588e8599386fa7e7240136c612f1cf1d3c35bf2bd36d04affe2ebfd3ed5e3931cff150b22a9dd9ad1b85bdd5d4f33e8bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
714139527b9a2099fc5e3ceb9d3e30df

SHA1
22f03ccfb9b1d79f72a444f74d9062224598e1e0

SHA256
3adb2b0ee325af08e8bee29ebabf0f0332fbeb7b03e457f8188160a4790f768a

SHA512
69a3339ee8d695b210f1c8fd6ee4c9eb6e809f6e179273cf7e1ab2c4f0f0d179c83ec4415ee237dfca82b11659cfe9adb9dc4247603b5128de03964798d16e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1D52.tmp

Filesize
1KB

MD5
b24eea07d6cf8803a666ae5c78a044ea

SHA1
b03f492defe38af1c60c99a0e534f506bbef32dc

SHA256
30c265fc325f9b89ca852d2b42558e3a24fe003e417b069ddfeffd58cacc520a

SHA512
50f65d3c99eee24c5c72c822b772fafc7f8db354c98aed84dc39b0e90157191cf7a7619c064c85f159753734d102fa60c2a63e458decab1b6347ac6f70d80ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpCD6D.tmp

Filesize
4KB

MD5
e1a48ec781542ab4f0d3a3368b2a1d05

SHA1
a35670f07e5320a1591a55d903b35dcdd1d224a1

SHA256
f41d8818774f3ec0bf936e564f50008b46f5e4060edaab3bd72ffa389fb9ef21

SHA512
d3e756d8b321d38962a7b36af617d152e9bfd499b31f1630a24ada435715ad81a29ab73e4ab4aa21bbc9029b4177a943303e7df922bf375c2583607cb6f6566a

Download Submit
C:\Users\Admin\Downloads\Silver_Rat_[FULLCRYPTRES].rar

Filesize
11.6MB

MD5
91ec369a7ed636c5429d87d1ecc4c544

SHA1
f1025052fd77ac527428a01b62aa914d3351a1b9

SHA256
5cd48b740e77efd58543dbc85f81a6304c8082298ad79cef77e2de32def53a95

SHA512
0da31ea133611133b3591036ca1375eccbaab6ffe64211459f34b4ecdea38cb32a8945b67dac57286c3e04638af89b4e62b40ea874ef00ca790e4e8ad4ed7fde

Download Submit
C:\Users\Admin\Downloads\Silver_Rat_[FULLCRYPTRES]\Silver Rat [FULLCRYPTRES]\Bunifu.Licensing.dll

Filesize
1.3MB

MD5
c18a9e44e200c7315a1868caab894293

SHA1
18f65508762d2492f41b22e4e6e5ad19a2226baa

SHA256
661a5be944dc9fb2e0eba01c3c0584feb3ecca44877d77f54d0f409ce801af22

SHA512
9a5e08bb6ed4535ac92ca446b630b29587cb5a4d7d695234a5d93267d2ac13d702b3738ba0e20606f10020e9642e8e315e7ddc92f1c321b68daf8524a3f5f2d1

Download Submit
C:\Users\Admin\Downloads\Silver_Rat_[FULLCRYPTRES]\Silver Rat [FULLCRYPTRES]\Bunifu.UI.WinForms.dll

Filesize
1.3MB

MD5
686833fccd95b4f5c8d7695a2d45955d

SHA1
882f60ea47f536c1f01da0f5767dfe5d569fc011

SHA256
578cbcfb7a01234907fb6314918efd23a502882c79d0ee3c2e7d4ae0cf63ebc2

SHA512
8bb3a8741b73ad7c280de31905dbfc449c2d6f538b8feca232201c7079f917c4291936211632bcdf17c95d6cf5d9b97df2cdd21c57af6cbff486ea7691ff3bc1

Download Submit
C:\Users\Admin\Downloads\Silver_Rat_[FULLCRYPTRES]\Silver Rat [FULLCRYPTRES]\Guna.UI2.dll

Filesize
1.4MB

MD5
acec68d05e0b9b6c34a24da530dc07b2

SHA1
015eb32aad6f5309296c3a88f0c5ab1ba451d41e

SHA256
bf72939922afa2cd17071f5170b4a82d05bceb1fc33ce29cdfbc68dbb97f0277

SHA512
d68d3ac62319178d3bc27a0f1e1762fc814a4da65156db90ae17284a99e5d9909e9e6348a4ff9ef0b92a46ba2033b838b75313307b46ab72dc0aab9641e4f700

Download Submit
C:\Users\Admin\Downloads\Silver_Rat_[FULLCRYPTRES]\Silver Rat [FULLCRYPTRES]\Plugins\Camera.dll

Filesize
52KB

MD5
e9e0b5fc7b1ed6f01d08d981d1cd761f

SHA1
011ac2fa1b9df6a4cb6d88c14316216bb64526bb

SHA256
2c82773466f72756d8152e4d5dc24d2ec954bfe5a6e7cae587d2e1d316ef43d0

SHA512
df75359dd9c1bcc6bccb17522186d710ae16054a496c3f75fa171dfe8f09e314fb28a7b1111193e64e37639c6d37de5c77cd99d795f72ab5338459886da6b964

Download Submit
C:\Users\Admin\Downloads\Silver_Rat_[FULLCRYPTRES]\Silver Rat [FULLCRYPTRES]\Plugins\Chat.dll

Filesize
36KB

MD5
736292dd81ad93bff84c28ce5de02385

SHA1
40d46e915d049966f023e8d8c1e059d9b6c22567

SHA256
0c83898f29762a4e3650fc5f5a8a3c3114d06da8f6a3fb2fa8b990a36716d6bd

SHA512
c126f17b9ed91994d52e61c7ab75536962a2c0f03cf90cba06fa423dd732379e7ccdf4050dada73267864feee8b677bd5c16ead8a485e3d8bd3f4bcc462015ed

Download Submit
C:\Users\Admin\Downloads\Silver_Rat_[FULLCRYPTRES]\Silver Rat [FULLCRYPTRES]\Plugins\HApps.dll

Filesize
30KB

MD5
a7c3b329ab9f4e20ed40c78b2ac36864

SHA1
fcb594e1a2a7c27e0208d413411e1ca30fdf4279

SHA256
d922c1762640f37a503eb116627a732290ae38b52f9b33437ffee608f7853a28

SHA512
870085fabe2ae4768b6ea9d2e7f13dad752f4c26ec6d61debd0b76c683771823b07338e1323e26c0c8e17f9ecf7f5d7fcd4b7d0b148501ef9e278b8b680925f9

Download Submit
C:\Users\Admin\Downloads\Silver_Rat_[FULLCRYPTRES]\Silver Rat [FULLCRYPTRES]\Plugins\HBrowser.dll

Filesize
22KB

MD5
ce1d9f8c498cd8c5ee38fa94df4b4907

SHA1
d3b811137776e4b1dc937d294ce0eff9a12594ff

SHA256
55b5efe0a09cb5cb79308874e2e5d25c895f995754bbf960ce9a403207ce3abd

SHA512
58c9e62bc32376773a9bb1f266aab617ad2098f2d12b13fba1bfcefdf3edd1f44682c791567cc67035550b80b735ae460111145fd1b9d733325cda9dfbe61849

Download Submit
C:\Users\Admin\Downloads\Silver_Rat_[FULLCRYPTRES]\Silver Rat [FULLCRYPTRES]\Plugins\HRDP.dll

Filesize
16KB

MD5
b9c9ea357d04731bda8c8393ae5cd741

SHA1
8d462aafddd5f37513226523dd4b7a354be2f492

SHA256
a475f59f6a1b6b1fb4c6e78f1fbe7df2d38c4f743488ba7da128a5771bf6de86

SHA512
1876e27c5d224d4bac403f99bfff21cbdd35e3d4d91257ff7c2482552e9925d85c69eb092e590ca48251e8fbf19372c131d191caa0e2b8977a2ced36173515e2

Download Submit
C:\Users\Admin\Downloads\Silver_Rat_[FULLCRYPTRES]\Silver Rat [FULLCRYPTRES]\Plugins\HVNC.dll

Filesize
31KB

MD5
3d07031e76978680240e80cc54451ad4

SHA1
255f32852fa97990ce16c8bdae766c79c7bcfe56

SHA256
44cb17f3b048ba2c7653409b0dec7c94eb86d2cf0322ac79ce6764d5b8df1549

SHA512
3595793d4b8e197a60d9c28060415489592da44e20e8f999d91e4c2f164e43ee00aaf94216a0daf4ade1cab8577dd34bb8e02c7ba12b3757b2c82c4e4bb91c7a

Download Submit
C:\Users\Admin\Downloads\Silver_Rat_[FULLCRYPTRES]\Silver Rat [FULLCRYPTRES]\Plugins\Keylogger.dll

Filesize
13KB

MD5
8e2d761ccea68168d0b991b475155678

SHA1
2872d722bdaf496d520e643d114e712199ef00f1

SHA256
c3fd1d11641109c9033fa20af16c6b737008c137fd8a926bf0b4c6630d8ab9ac

SHA512
e179a1da9f2d00cd74352dc81305462dc928a6e2acace665d42e8a2d0999bc6c8669e5e290ebd17064c6166604f87de2c7e7f31b42b4ea82b23738792c68f68d

Download Submit
C:\Users\Admin\Downloads\Silver_Rat_[FULLCRYPTRES]\Silver Rat [FULLCRYPTRES]\Plugins\Manager.dll

Filesize
126KB

MD5
b17ddbfdf27aaedb6e26ed70783a6ae7

SHA1
08590ed55d9adc47c53a9dcf7dfafc60b877aa13

SHA256
da8c5ffb5d268e9aa5783bcb064502df8f78cba724a0f96793795fe97e62a6e1

SHA512
0079131280257413f43a01a0de2b3cf393745d2864ab521619888b3b25f7f0ec1f32f9d6f682250b73c92c1483d841f7ca3f8bf34e785e3fc93afae6d086693e

Download Submit
C:\Users\Admin\Downloads\Silver_Rat_[FULLCRYPTRES]\Silver Rat [FULLCRYPTRES]\Plugins\Options.dll

Filesize
45KB

MD5
ff88d61dc7adc644d79b0f898059a7b1

SHA1
151557a014d6b177fd1ae1496f0719184df08c86

SHA256
3fd7b67e56b40caf53aa9b2df102967f7e2aab0bb4bf90ea769ea725c0498657

SHA512
ae06793d10c6c76a994db8cf3fe97a859df2a1e0dd2bc56fac042bba8a93a56e52b4edf28a30113e4cd547157bde07a77383f0295822d8e6ddea51dfcdc0b1f0

Download Submit
C:\Users\Admin\Downloads\Silver_Rat_[FULLCRYPTRES]\Silver Rat [FULLCRYPTRES]\Plugins\OptionsForm.dll

Filesize
28KB

MD5
fdaa271259f3b58f88bcfce1da990af4

SHA1
ae2bb4c6725134e9f53f7d63d8920d5c7c4e54de

SHA256
b2a0dd7d7b92ec5b99e3b18fb0235b3b039373edf9a4ea51b36447ac7d0ad464

SHA512
469507660f15a9b72cf160da089b2b4e44625010ba15cdee3d6e08f467e1d724aa0d177adbd7af926a55b0dddd016d565804ab1b2fb071ee37b48487d553b8d9

Download Submit
C:\Users\Admin\Downloads\Silver_Rat_[FULLCRYPTRES]\Silver Rat [FULLCRYPTRES]\Plugins\Passwords.dll

Filesize
63KB

MD5
67df2a509df555bbbb04264d9177c4c9

SHA1
4afbe8e70698cc6cc7cb2091c1d7dd8b343e49b6

SHA256
31805c53dcd4df47675401e2f286026492a4d2c9ffb13bf5293e8955d5ec96d1

SHA512
0b10b268a5590aa4649decda9190df03673f55b09bf66660cab43f76e61cd9afd4e3ff285b6623377f883930f3221933c7abde1b795642ccd909ccb17154712e

Download Submit
C:\Users\Admin\Downloads\Silver_Rat_[FULLCRYPTRES]\Silver Rat [FULLCRYPTRES]\Plugins\RAPP.dll

Filesize
18KB

MD5
3749325c46c36e83ea28ddd92aa60c9f

SHA1
a792b9eb154fcbd376660bca5bb1cac11e29cd17

SHA256
2e717bd5321a2ac65b38cc39238dafa7e34b7446031a6a6200aca86199a59ade

SHA512
876013df8c6736ac3bed7e8efb03cc783abe33936c2f8b7908b554b5584c42a8e81f953f7c4066576d8ef931026eb4af84618179cc0001519c493f6651ccd4be

Download Submit
C:\Users\Admin\Downloads\Silver_Rat_[FULLCRYPTRES]\Silver Rat [FULLCRYPTRES]\Plugins\RDP.dll

Filesize
17KB

MD5
2bd24da470e3968fec572600d4637f37

SHA1
752a3ee7e92e6141c26338b327b5a060c0583030

SHA256
c5d5123886fc5e948693a2c1cf14b6b1262f2b98b2ccb6ee3b06bab0c32e6c00

SHA512
60df75c2362a991ce108ed2b52d47316b56b527eef67700b89a6aa8dc52cb0f223991fe6b9819d4c047c5445051078d55965209bbf8f7c1421fc0dbc12fbc393

Download Submit
C:\Users\Admin\Downloads\Silver_Rat_[FULLCRYPTRES]\Silver Rat [FULLCRYPTRES]\Plugins\Ransom.dll

Filesize
14KB

MD5
47ced016511c0edca8af7e371ed50136

SHA1
83306913534c4a2ff234ce1dc399ac017978a476

SHA256
d47f10f19ff148464747bf7e38f7fb44c1d99569d4a9b31eee731abacd540a2f

SHA512
459333e1c3437b13db1988f901c97f16ab6e99269b3459001e898f661322b4ad034046b29561c0a6b366ff3d2c69a27334d49623744e3ee4f3341789b4bab37a

Download Submit
C:\Users\Admin\Downloads\Silver_Rat_[FULLCRYPTRES]\Silver Rat [FULLCRYPTRES]\Profiles\Builder.xml

Filesize
1KB

MD5
3fcd4ac4720febae7ed0b81913daaf1c

SHA1
7d2ec4090023cc93a453c65782c78fe9bcf5afbd

SHA256
b4b7d0f7878a60e5d641443a7d4720e178568e6febbb38a243d3b9fb8a30842b

SHA512
c6a5c5c5d17d2e56fd2fde8705062a8916673ec5557ef9f30c9f62c67877c72f5b8e4528a3a8a8ec24f74e5c52ed385442483606b13972bcc645257a5826f2ca

Download Submit
C:\Users\Admin\Downloads\Silver_Rat_[FULLCRYPTRES]\Silver Rat [FULLCRYPTRES]\Profiles\SocketPort.xml

Filesize
57B

MD5
5f807862258a390b2e2f75abb6d2c865

SHA1
22abc144aa034c6490cbf143a8f1cdd42bd06d1b

SHA256
7b87c31f6d1163fc236651f5e1f3187cfa0c79d4a85d20c1c05f1dc3056c4823

SHA512
b831e4b2eeec23e39544961cef6619c8d57c50b53dc6bad8846682df6f5252041f50ce33cbe182488288d6d5e2e3e5194055ee4143ceb09f9601ed49d39dba39

Download Submit
C:\Users\Admin\Downloads\Silver_Rat_[FULLCRYPTRES]\Silver Rat [FULLCRYPTRES]\SilverClient.exe

Filesize
33KB

MD5
e8dc72a7ecab57e97173e5e0de807b2d

SHA1
dab9a3fc86654cd61a406669e6d57ea86a5d5098

SHA256
b2ec71ba3da970b019930bd87c8f08a0cc08c73e44574c20a7762bf266fdb6d6

SHA512
737b19028dc5c25b938c2d64eb6eb4eea3f759e4ff2cd85a458a0b2d4ee357c929f7796bf823e510c5cfaa5f6ed587f544be1a20a5e0c39f8e699ff06b7007b1

Download Submit
C:\Users\Admin\Downloads\Silver_Rat_[FULLCRYPTRES]\Silver Rat [FULLCRYPTRES]\SilverRat.exe

Filesize
25.2MB

MD5
d6527f7d5f5152c3f5fff6786e5c1606

SHA1
e8da82b4a3d2b6bee04236162e5e46e636310ec6

SHA256
79a4605d24d32f992d8e144202e980bb6b52bf8c9925b1498a1da59e50ac51f9

SHA512
2b4eb9e66028d263c52b3da42fa3df256cf49cd7a7ebdf7c75da6a2dedfd2c22cb5f2071345b7016cd742539c74a801cad70c612330be79802fa19f860ea2d5f

Download Submit
C:\Users\Admin\Downloads\Silver_Rat_[FULLCRYPTRES]\Silver Rat [FULLCRYPTRES]\SilverRat.exe.config

Filesize
526B

MD5
d6f1152d647b57f64494c3e1d32ede94

SHA1
a35bd77be82c79a034660df07270467ee109f5ac

SHA256
a47f3f83cdb9816f03632833dc361ac5e7a4c5c923af1fdebfa16303f9d68a72

SHA512
699b5ad93d3497348f8aad8e15d54ddd789bbac43f11a7fb629f19cda3749bee0ae06dc83f4e6246df631488169fda5d15c48585581d3a96d2523b8b45e639bd

Download Submit
C:\Users\Admin\Downloads\Silver_Rat_[FULLCRYPTRES]\Silver Rat [FULLCRYPTRES]\bunifu.ui.winforms.1.5.3.dll

Filesize
297KB

MD5
c1d51a0e747c9d6156410cb3c5b97a60

SHA1
86312cba2eb3495cc6bec66d54d4ab88596275d8

SHA256
6937052b86bc251be510b110e08fc5089d3bd687ce2333a85ea6d5c2c09b437a

SHA512
a8d7b2e5555c01076e8dd744d21d8cd901aaffad052af0e8c22269e8c2f765019422ed245368a64d64157652a0e4fcab1a889086fde4e139b4ccf5f7bad08222

Download Submit
C:\Users\Admin\Downloads\Silver_Rat_[FULLCRYPTRES]\Silver Rat [FULLCRYPTRES]\cgeoip.dll

Filesize
2.3MB

MD5
6d6e172e7965d1250a4a6f8a0513aa9f

SHA1
b0fd4f64e837f48682874251c93258ee2cbcad2b

SHA256
d1ddd15e9c727a5ecf78d3918c17aee0512f5b181ad44952686beb89146e6bd0

SHA512
35daa38ad009599145aa241102bcd1f69b4caa55ebc5bb11df0a06567056c0ec5fcd02a33576c54c670755a6384e0229fd2f96622f12304dec58f79e1e834155

Download Submit
C:\Users\Admin\Downloads\Silver_Rat_[FULLCRYPTRES]\Silver Rat [FULLCRYPTRES]\stub.cs

Filesize
84KB

MD5
255787b7316051d866d8a8a384102c9a

SHA1
5a9fe0570579b7fe3916ec51abaa6606cf44dd18

SHA256
1ffef5d31a2d6dbc01177fcf7835c9d9eeb4334bd39b20ec76eb2be1ba429f3f

SHA512
3016709d0ca83b58abadf1db647ff313105fa03e738f016cbb6364fa258c1824bfb692117ce325b1189a73242208fbcb58825c0abc022df06b771ed0937594db

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\agfeltil\agfeltil.0.cs

Filesize
87KB

MD5
bf80e960c5b22f95fe10c3dfaa988fef

SHA1
d425e8b2e33412b4c3b5cb85d592653e5bdf5d5e

SHA256
6fede5747e296af79a9f943194dd1d87edbfc4201f49fbb1b858eaec35fd4e36

SHA512
eb51af6a63274e8ceab79b8f25ed7da25d7eeb19422f6cfade64c0f938160a63e1d7fa1bf97cdcad4562c9eacbec9138f009c6d4313a0ec5523a0bec1252d848

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\agfeltil\agfeltil.cmdline

Filesize
319B

MD5
912626a5a89f91572c02197a6541599b

SHA1
b1cef8cab3b06d2742151b8ee1b91c60d6428aea

SHA256
fbbeb4ab0722c77bc2532c76821b1e0c3deaa45e7a41bd2fac9dd7023fec4e23

SHA512
4a16619fa507b5765b50a3bf0e445116b0fb6589ff82b81be30f359584774c009fc1ed8e4367a1bfbd925ea9a25c2ca100cfe79beaaf5ffc6c42a30b775f7467

Download Submit
\??\c:\Users\Admin\Downloads\Silver_Rat_[FULLCRYPTRES]\Silver Rat [FULLCRYPTRES]\CSCC5A5E2B656A47E0B3129068B827DE1B.TMP

Filesize
1KB

MD5
8c0a1f2b904af16969873aa36f4fd60c

SHA1
a2509390671f63924f9124a81b515cff807cab99

SHA256
d8fc284ae033b8f26c85fa6272ea0a6ed42bab7d363f1dbcb1f60fafe7c47b9e

SHA512
9b06fc51cd3bd8c0d10d3a66812487e962893fcd43e2233b7f54865c0dc32d0ad065fb7b39421e82901f234f71845ebe87a44a105f0f87f7da2ea855edff0381

Download Submit
memory/5020-609-0x0000000001200000-0x000000000122A000-memory.dmp

Filesize
168KB

Download
memory/5020-561-0x00000000007C0000-0x00000000007CC000-memory.dmp

Filesize
48KB

Download
memory/5020-592-0x000000001F2B0000-0x000000001F306000-memory.dmp

Filesize
344KB

Download
memory/5020-589-0x00000000011D0000-0x00000000011E0000-memory.dmp

Filesize
64KB

Download
memory/5948-379-0x0000000008490000-0x00000000084C2000-memory.dmp

Filesize
200KB

Download
memory/5948-377-0x00000000076D0000-0x0000000007922000-memory.dmp

Filesize
2.3MB

Download
memory/5948-365-0x0000000006780000-0x00000000068F6000-memory.dmp

Filesize
1.5MB

Download
memory/5948-361-0x0000000006440000-0x00000000064D2000-memory.dmp

Filesize
584KB

Download
memory/5948-360-0x00000000069F0000-0x0000000006F94000-memory.dmp

Filesize
5.6MB

Download
memory/5948-359-0x0000000000080000-0x00000000019AE000-memory.dmp

Filesize
25.2MB

Download
memory/5948-373-0x0000000006970000-0x00000000069BE000-memory.dmp

Filesize
312KB

Download
memory/5948-369-0x00000000072F0000-0x0000000007440000-memory.dmp

Filesize
1.3MB

Download
memory/5948-378-0x00000000076B0000-0x00000000076BA000-memory.dmp

Filesize
40KB

Download
memory/5948-380-0x0000000008700000-0x000000000879C000-memory.dmp

Filesize
624KB

Download
memory/5948-594-0x0000000014160000-0x00000000141A8000-memory.dmp

Filesize
288KB

Download
memory/5948-593-0x0000000013F80000-0x0000000013FC6000-memory.dmp

Filesize
280KB

Download
memory/5948-595-0x0000000013900000-0x0000000013926000-memory.dmp

Filesize
152KB

Download
memory/5948-596-0x00000000124F0000-0x00000000124FA000-memory.dmp

Filesize
40KB

Download
memory/5948-597-0x0000000013B90000-0x0000000013BC0000-memory.dmp

Filesize
192KB

Download
memory/5948-384-0x0000000008C10000-0x0000000008D5E000-memory.dmp

Filesize
1.3MB

Download