Analysis Overview
SHA256
a384bad25740a4b783eaadd6ade53d96e878e1313c34321ddfb23149fbf6366d
Threat Level: Shows suspicious behavior
The file Silver Rat [Re Lab].7z was found to be: Shows suspicious behavior.
Malicious Activity Summary
Obfuscated with Agile.Net obfuscator
Drops desktop.ini file(s)
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-25 13:13
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-25 13:13
Reported
2024-09-25 13:17
Platform
win7-20240903-en
Max time kernel
57s
Max time network
59s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000b7d519d0462d3485cce225cef9c2ccfd95973d30df29a8d0ab01967a50bb80e4000000000e8000000002000020000000885fd8cb92d9f71e1cc2507556f09c7b6ad94da368b6945885166da9d6912b50900000009d32653e270b33a76b2e80101e73e9efb2eb128b35b15f05e0cf7a1f213e4615d3318105160e506c599da9cf21d827be4a7421c219803f77001eb9b62179dfb1cb49d9cace9fb7403bd8ac142823b3caf297ac02d1fd23a3b65ff4e43feb423a11bd428979a6b50e29f2641067f1cfbff5bc4d16f2e5ded0c9e5d58cb2254110cc3ccfd10e31d703c4d474196ee03e3440000000f054e8ecb8816dfa97529ed05067a89f00f5dc679e58c5eb23782be82ceba5d856e54a468caf9c025eb0c02c819f39ccf98dd40afe3cded25664155ca5d59074 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b08ad3304d0fdb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000f97fcd54441827ee68a80e4eb7a0c02b359a2266e19516278872f2ced719efd0000000000e800000000200002000000044bf45e32d106afd2c0fd41208899919de464e1ee97b547b5caf8ba9b42bd13d20000000dbebaf88982191c9523338f76c4f77ce449b20720e79502c98ed92a9be812ec64000000053f85e5181ce3f349f06b9cf3a4ec6d28b12fd9bed2def4c09edac3548c7fa80e34d6889a077d2e69b9d0d4b1fbc7c903b1d396c66d5a37d24808ed4512ced3a | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{59DBC851-7B40-11EF-B788-5A85C185DB3E} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe
"C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=SilverRat.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1976 CREDAT:275457 /prefetch:2
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\Cab35D.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar38F.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 263ef293e908a67d3cbd38cddbae77fa |
| SHA1 | 56d6afe7fce5a475769d8031a4d0b5d699dc76ff |
| SHA256 | 49bc1574af9f42dff5fd1de10cbf6e4c22c2e3a1beffb0d0bc6379dc73010627 |
| SHA512 | 7b61c5a6df8ce894c24ec797532917a9d43857234d01f56d3f85f865b492b2df606804a35c4c84a0fff2a8aa2f236b4be1bd0f27e2a17f7a584915f92a83f690 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a364d3233c84b7bfd2e1fc1c2dd8d7bd |
| SHA1 | e14839d68b880292882edaf0fd48f0147f53af81 |
| SHA256 | ecc98e6da5a6498f8148bef7aac3005ff679736d2d444945e3c7ed3560518767 |
| SHA512 | 441f816c98989909e99774c8a69bb878f17ee0c3a406058cbef71f6253127bee65df0da43d77decb002c917d9299084e7e7a6e78d029d6e70e69f74958c3c253 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d3698ef0389622cc2223a7be398490c8 |
| SHA1 | b45065b49c63367ce2c0a4822ec9cd42ed3f6568 |
| SHA256 | fd30709bdfd715eac71805a3b710c848b30fd3f4f4ba24544ea690876a8f2466 |
| SHA512 | 8b7e1592902564e3ef1134c4e07cd58b639faac1e8ffbdd8d368b6f6c7be3bce0058735feb49f27ea2dc54663aaa33bc79a8f9372ac553110280036dbdeb6825 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4b859b1246486feb907dd93b4dd9d7a4 |
| SHA1 | 2efcb5d82515ef76e1f1328a14203b693b1552fd |
| SHA256 | 8a346ae8ab20a42da2ad149f26b7bfd0b55cc97b8781977959764ae979aa4e92 |
| SHA512 | b507aeb7289a5d3a11882742737de95d9c93671e9d4afa1e5364ceceaf8c0d9eb026c00a607e02088c76b4e07ccab5b11e0410c4b0c4c828840c7263a92d6d0a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 34186aedd599d1063c745f3bd40150c9 |
| SHA1 | cd9d8ac84ca0a79db1671c67bf18a8ed17ac63c6 |
| SHA256 | e44a1b1ad5ad3848ee7f2feb9b03ab19d2f6c2282d85397cf0b78dbd63ba1ef0 |
| SHA512 | b5eac553c061100ff725fae4ce08ba335c86bbf388df40ed700af6781c674a96160820608158f9d7414f9040a4cfd3c1a4f8d54922aee1bf5e197253d9b296cc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f437c298977fe16ca1c823d342ea5539 |
| SHA1 | 3ddb732ea5d2db4f8aedc8b12174868e8e7fdc66 |
| SHA256 | 6582751765ca273c7171131838bf491f2ca5877ffb5493d3416650fcd6b5df50 |
| SHA512 | e0d118b15bdde07d1653ddc5cfd166b00b53853fca3b10e45f84aa6762b30d59853d742930b9e4535d285161f62ebfb95bba8fdc4a70b86f9a5bea894ab29271 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e42c0dfb9601f03a768a2556978c1019 |
| SHA1 | 8420ef20bd1c20caa279f47baae567aba021a8ee |
| SHA256 | 539a87f12246287cf4d0e531203cfcbe4e92319c67e70db6975366c02cbdcb76 |
| SHA512 | 2c62a5cd0d2f44cc5ccded3f6d279802181500ba2ad66c9217601086d813e927c7a3fc75ad0ec3d3d4e169795366b93c7ca1456a557739215646c451d0c3a07a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 821505cc9d81630fa91a8a9d4979dfda |
| SHA1 | 62bc41f5abf7ad7c2cd2271b254d137336519284 |
| SHA256 | 297176fda5eaa1ec243fb74fc4f65161773a769f1e84c692bb6fd018f8036507 |
| SHA512 | cb01ebb6cef0bec1739fd9016f47183efb28b703c75d310eee5327da993dc37ee8bc98a4196988398fec21e381d9755177472187b267b2ea012246ca2bfe9555 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bda9f926a1eb8f00a0dca52420f329cb |
| SHA1 | 328c5b9e4dcc1ffb9881627c4293102f1e36915c |
| SHA256 | e6f492e3ae7577dab87218df6639e9ec822e7e6ff1d6e13aa973aaa942d96947 |
| SHA512 | 9f1a687c063829e00b4b9242b0c3ceda568de5645357e8a447c7f5be720ae114ddb2f925b18fe89b318f2ad5b9865d8b0715f48705153f9b4b5197dbbfd25ef5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 920fcbad00451a8dbd8d2c9ea45764f8 |
| SHA1 | 9c8fb935f7836a38111c8c3acedaaf9e59e8fdbe |
| SHA256 | d97ff3ada346751e4d8200fad0b494942067743800e6bca5c0cfe60bf03d842b |
| SHA512 | 2c8e55aa2335717b1d692d0435cc86ca497628b649fa95926cb8e8d302d0cf99578bb36844bca2e7c4dcff53eb2b41fff844be44b2750bb96b52137c95d5bd55 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 23ee0ca63f0855b04ec49698998a9d9f |
| SHA1 | cc4f2839adde52674e7b01937630554971ca00e3 |
| SHA256 | 3f8eebba942b826dc0989b7c87c96ab3079616d9b483cb76fe77b4cfccc39c56 |
| SHA512 | 7d7426a7b5a3b2edd3f84fc7cff115c3a235696a6e948b2904481eca3cf4614176102d97d41232e9b5324dcb0f06efa26e244f8d9d00cb7a3e236f900bf74fe7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a19d63c16ffcfa7a8b9aa89aa8516d0b |
| SHA1 | 52a447db99159b18e171e7bd05043bd58417403a |
| SHA256 | 188b315add81ab8b42f6215b8aafc5dbc59ea17826a6f34e0ca55c95ff9927a6 |
| SHA512 | 724dbf6b6a6b6be7311b6d5235d5247cbe668345c6d63cc61bd6278f02a4da400693384866cd63db3506f7d92302f2a41ee5e1b6d56f072662dd9be0da337916 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-25 13:13
Reported
2024-09-25 13:20
Platform
win7-20240903-en
Max time kernel
230s
Max time network
231s
Command Line
Signatures
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Saved Games\Microsoft Games\desktop.ini | C:\Program Files\Microsoft Games\solitaire\solitaire.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft Games\Solitaire\desktop.ini | C:\Program Files\Microsoft Games\solitaire\solitaire.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e025c82a4d0fdb01 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000034fb491e306754a7ebf7ed139840aac20c963cd3edbcd3f41d42654f8ad06f3000000000e8000000002000020000000ef3d16c55881bed70212e627d4c0136e46020df3c58336c62b6517e6fc835cbe900000008be98132ba2f043dd59835b72bcc26462b6f5caf4d8b02d282f295c5aa382c938fde9ee3cb1acfe924527bb259c1d354ad4e6cb70d4a1945c1599e84a6651ad7285bfd01348e7e30aa92c961099808fb6f0546d91a2fc6313cd5ad3c3abb449ffd41cd00cca33216fb2de8d1c12676d131c3ae688e02f10ada5b4ab565df5c74a34ebbaaa539f2bf31bbe10aa969d58f40000000d3f2a9555884eb97fdf0f34db84ebcfa42351c6255931e49bcd712bb609b87976c8863f594ca2c1848cfe7418503c8c2d3205ff56ce3e3d291b07f115cee875d | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000f6160885290c1ffd7aef10690a5c067661bacffb2b8c6ab4e4cb2212556c8073000000000e80000000020000200000009eb73fa119317885a7fe7c63a5c90bea8cdb11f4b993b28dd01f2e67d015070d20000000e8c82e9b79fcff4fff387585be69f36d9e5f5c9bc1f0fc06311cc3ad3c169350400000007e5bc7608dc6d9a8f57af8d16bd422ee6e354d4a81668a97479d74a18e5e298fa703129d43f44550c5af770398655599ef13aa6228e885af1852e17f67405f48 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433432040" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{56509621-7B40-11EF-8C8A-62CAC36041A9} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\GameStats\{8669ECE8-D1C3-4345-8310-E60F6D44FDAF}\LastPlayed = "0" | C:\Program Files\Microsoft Games\solitaire\solitaire.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\GameStats\{8669ECE8-D1C3-4345-8310-E60F6D44FDAF} | C:\Program Files\Microsoft Games\solitaire\solitaire.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings | C:\Program Files\Microsoft Games\solitaire\solitaire.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software | C:\Program Files\Microsoft Games\solitaire\solitaire.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft | C:\Program Files\Microsoft Games\solitaire\solitaire.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows | C:\Program Files\Microsoft Games\solitaire\solitaire.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX | C:\Program Files\Microsoft Games\solitaire\solitaire.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\GameStats | C:\Program Files\Microsoft Games\solitaire\solitaire.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Games\solitaire\solitaire.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe.xml"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2708 CREDAT:275457 /prefetch:2
C:\Program Files\Microsoft Games\solitaire\solitaire.exe
"C:\Program Files\Microsoft Games\solitaire\solitaire.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x480
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab18E1.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar1970.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d7222042b78a4460de3635cf028451b3 |
| SHA1 | 6e2fe1799c27012c29279f31a0a690e46310e0b4 |
| SHA256 | 454393aabea50bdf7bee37e379d67008e6380808ada809ac2ae78f7392e7d860 |
| SHA512 | 01d13a6165bb174701f969650a1688628c66668d25c71c94256ed6bda0a5a53ce862f263f477bd022612d80f3d212c4e292e8092fa622d1f90f6022f8772fad2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6ba22d0ea29079fd1ca61d711c2ceae1 |
| SHA1 | 0eacd58ae0b19871f34ae3734e2062bb252f51e2 |
| SHA256 | 6c0489d5187b1651422e0e4d544aff417b1031225db9dac24d561241b0755895 |
| SHA512 | f66f320a56213d0c0d06f2ac2bfbfcfd2eb24bdf27f52eda77fceacdf41249f89a0f8dca7d70ff45bb18736a96b870b228b87d86478f83cbc8b52993cc12dcfb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f14df5a160497f0b0ef03c078ba9dae0 |
| SHA1 | 80528d20ed7fe73be940e555bdbe2f7a79be5a77 |
| SHA256 | dc75582a95cfca16723a09820aca712b8fe9db963cb1d0d4314ba6ef5cd56994 |
| SHA512 | cc9f7c185203938ad43fd95eff94a3394abeb14c986a0c179b4928b1e5dee1e12d2a5ce33ccb32ad3e29f7baa08981b2f4dd49cb9f62a5f89e43dcdb7fba496f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 84f93e4ee866f4aed5d17d25cdc59c43 |
| SHA1 | 1d458de60ed2f61c29838f4b1a41c851a3a5a60a |
| SHA256 | 0568ab391bafec5c87ff08dc5d6e3a3902db298daa626726e077b003e5ca2df7 |
| SHA512 | 62fb404778a8654308db029c69b60c97c52dabbb44ad3c7e05e83bf4733a44b5a666f092348b929b0bcc60da427fa179fb12175b8c0b649278793605e4f0c0d8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 84b4352dfc1e32f518a9981719e265fb |
| SHA1 | abd1c78095c4f057c0777ee92bbf7b726d2d716c |
| SHA256 | 5405173c3b62994d3e90ae754b147cd68f2c7c421ce70d471b19d3efc11758c2 |
| SHA512 | 98205689ee8e93faa316ffb7e4f424e32d8557bbb84f2353f94f1d9519adbbeea8be7b68575263e3fda5446fe16876a4bedb01dda28d7f65ca1661f3fb1d6656 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f11fa23cfda55f03734b15685d970c81 |
| SHA1 | 58e9fd22acac9f63deda8d6b8d9bcc5b83a391f0 |
| SHA256 | d26d281080a84a6a8617c42a90e7f5f6f479f185b50dea81d7f79e3eac9df967 |
| SHA512 | 76ff999dd2d413c1c720f167d4fe4a4ee05b14741e3c767136705b862107a91a69171b491a1ecc4bf63068cbe9e85aa900e60661c1189656f634ce8faf60f8f4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bab98165ba247a05c4248ab967c023f2 |
| SHA1 | c7ed130b58e3c78e48145f65db292c21dab8df37 |
| SHA256 | 62e6739fad2f475f90a9925b5ce50ca330dbcee01f8e443d67a327b95124fdf5 |
| SHA512 | d7df90e68be061fb2ebfa880ec38c87a3c252717d1f2dede7fdeccf7c29f1ae7220613ed3ad011a5eb7bf303671338bbb181c07991e6dc4de84351f60e6501d9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 95593db64dc4d5dbeb623d3e2ababed5 |
| SHA1 | fce1f88378e4cb1b7a1b6752fb0477fe80af4121 |
| SHA256 | d3053bed6dd8a7a2a91f25530ade529ed80bc0ee4f6b813dd5d2722d5aa0afdd |
| SHA512 | c9ee31346215a968b88bd8a38365f7e0429575bab00fe00a94beecefbefd112511831e911f99c8c48255cc4b7c0de190127c77cd966e6503913b305c5fbcbe60 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1c7da230017464685e7099ec144d5362 |
| SHA1 | 82f7e9c31efe219061d1db8e00df80af07105fb1 |
| SHA256 | f0c2970bf8745f3a27f27a01dbbaf251823bf426af3f36311b5977ebf9b6b78e |
| SHA512 | 784ef21e736194e4b530761591c6b5af48b157b0afca4103eb91da7907f600779f934c4e9d9eed099f0002c2af544d8b6b3bc2d872e980b64f050bddb7ae53f1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 713734a66e26623c9841b7aa5c3a9cd1 |
| SHA1 | d82e3730ad5a81b917d5550160555d43be718fae |
| SHA256 | 0ef247d2cfcf19a5efbb9d56240c06df11aa6fbcca3aef9bf32140f03dc4a970 |
| SHA512 | 0c480aa4107296778b004103fa7ef70f8da3de623f35143a8b5086a2f35f3712227da38e57880d7f5514076ac16aa989c407fdefa69afb1a2f5260c275600bca |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c2613689664815d2284a07243cb951f5 |
| SHA1 | 8e1a1fc81a5d38ff6ca1d7b079187b059b26baaf |
| SHA256 | c8bb3c4b77ed766a3877f4cd100db630bc9b00ae1f8ee6eff12d9c838a0aed40 |
| SHA512 | 39cd452b74f0624fb7141ebe1925a4314b60bc33303c45d38a50e48c5382a33f9958001791cd5b0c72646e1856f234a924a24294c0b38e3034606373bd492021 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4cfe8ac67caf17c3e72f484d5efb593f |
| SHA1 | bd94f99e9006e9ba70f82a07a12387b2ea505404 |
| SHA256 | b35864e365871adf415ab2312dcb9d9acc0941a8fbfd0839cf8846b6924dcdd3 |
| SHA512 | a7c9202a3ee5a3e51738f2b074e738829fa93d1261694cf48d451da9f161b9c5515b5a8ae4f81c430a0ac802e49bbce2d87ba7ba99cedceaf326ab961a14aa32 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 47514d16a7080aae9a4e7f3a84ed2cea |
| SHA1 | 6fa8febe4992a29164b05699d3f9bf89c90bd655 |
| SHA256 | 3ba6514798ead7543dc683977bf6d12726d9bfd1dee8319ae2156ee75a4f1ca9 |
| SHA512 | 18d0cb72745fcdb55c612a555b3e712d02e8207cbde64b704afcc177c6672284e0fdd66c36638bc87c9e4181174d819767029774cbe80ba3ec6e25dcc46be33a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 37c5d673e46ff23da43dc8b2fcbd61a4 |
| SHA1 | b1a3d890f9d746dd7593d027c47eb5a79705f56b |
| SHA256 | 025409a04eb412c47527f868a72bcb13df8342a5ecfc3030149c47e3ff92ee19 |
| SHA512 | dc37ac360e89e7c798eefad0f09620cd491406233332f72f1600fec4800656074db85196bba5e51c15adbc309a14c5bcfe9563bdaed188e99bb21fb9eb7b5858 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bdfeccc46f774e9ce9f9da4f729b4a6e |
| SHA1 | 4eed8151d7e0146bf06dae82a462c3d4925d2ea9 |
| SHA256 | 1eada9446bc3988f5e0b22b9ad9364cdc90c6f7b9301a005ff895f094da2e944 |
| SHA512 | fd03d61a830190fc7908fbb81d121bc8ebf7699f348ecff3a2299c542d13fa57239ad79af4980c084784ded0cc68338253f325175cc11725928e6306691e122a |
memory/1996-862-0x00000000005B0000-0x00000000005B1000-memory.dmp
memory/1996-867-0x00000000020E0000-0x00000000020EA000-memory.dmp
memory/1996-866-0x00000000020E0000-0x00000000020EA000-memory.dmp
memory/1996-865-0x00000000020E0000-0x00000000020EA000-memory.dmp
memory/1996-863-0x00000000020E0000-0x00000000020EA000-memory.dmp
memory/1996-864-0x00000000020E0000-0x00000000020EA000-memory.dmp
memory/1996-868-0x00000000005B0000-0x00000000005B1000-memory.dmp
memory/1996-869-0x00000000020E0000-0x00000000020EA000-memory.dmp
memory/1996-870-0x0000000002150000-0x000000000215A000-memory.dmp
memory/1996-889-0x000007FEF5D4B000-0x000007FEF5D60000-memory.dmp
memory/1996-888-0x00000000020E0000-0x00000000020EA000-memory.dmp
memory/1996-894-0x00000000020E0000-0x00000000020EA000-memory.dmp
memory/1996-893-0x000007FEF5C40000-0x000007FEF5D71000-memory.dmp
memory/1996-895-0x0000000002150000-0x000000000215A000-memory.dmp
memory/1996-896-0x0000000002150000-0x000000000215A000-memory.dmp
memory/1996-897-0x000007FEF5D4B000-0x000007FEF5D60000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\GameExplorer\GameStatistics\{8669ECE8-D1C3-4345-8310-E60F6D44FDAF}\{8669ECE8-D1C3-4345-8310-E60F6D44FDAF}.gamestats
| MD5 | a338c1bb5704e723487ef4f8d5d592f5 |
| SHA1 | 9b6e89c7fdf4ed588a98b673dcc3073f85eaea5d |
| SHA256 | c096f55238f36481b0e846e37004e813ea0b34ddbc7a94f0155fd64ed4dd5672 |
| SHA512 | ab62aac5a5fb6f599616d0998cb8011ca18c0631e42451958af89bcaa8db2b6e179651cb14c94f3f6868b0c8632a4048f8c9e6ba7ea6a31abb168e1362188952 |