Malware Analysis Report

2024-11-30 19:24

Sample ID 240925-qgcxraxbrr
Target Silver Rat [Re Lab].7z
SHA256 a384bad25740a4b783eaadd6ade53d96e878e1313c34321ddfb23149fbf6366d
Tags
agilenet discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a384bad25740a4b783eaadd6ade53d96e878e1313c34321ddfb23149fbf6366d

Threat Level: Shows suspicious behavior

The file Silver Rat [Re Lab].7z was found to be: Shows suspicious behavior.

Malicious Activity Summary

agilenet discovery

Obfuscated with Agile.Net obfuscator

Drops desktop.ini file(s)

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-25 13:13

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-25 13:13

Reported

2024-09-25 13:17

Platform

win7-20240903-en

Max time kernel

57s

Max time network

59s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000b7d519d0462d3485cce225cef9c2ccfd95973d30df29a8d0ab01967a50bb80e4000000000e8000000002000020000000885fd8cb92d9f71e1cc2507556f09c7b6ad94da368b6945885166da9d6912b50900000009d32653e270b33a76b2e80101e73e9efb2eb128b35b15f05e0cf7a1f213e4615d3318105160e506c599da9cf21d827be4a7421c219803f77001eb9b62179dfb1cb49d9cace9fb7403bd8ac142823b3caf297ac02d1fd23a3b65ff4e43feb423a11bd428979a6b50e29f2641067f1cfbff5bc4d16f2e5ded0c9e5d58cb2254110cc3ccfd10e31d703c4d474196ee03e3440000000f054e8ecb8816dfa97529ed05067a89f00f5dc679e58c5eb23782be82ceba5d856e54a468caf9c025eb0c02c819f39ccf98dd40afe3cded25664155ca5d59074 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b08ad3304d0fdb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000f97fcd54441827ee68a80e4eb7a0c02b359a2266e19516278872f2ced719efd0000000000e800000000200002000000044bf45e32d106afd2c0fd41208899919de464e1ee97b547b5caf8ba9b42bd13d20000000dbebaf88982191c9523338f76c4f77ce449b20720e79502c98ed92a9be812ec64000000053f85e5181ce3f349f06b9cf3a4ec6d28b12fd9bed2def4c09edac3548c7fa80e34d6889a077d2e69b9d0d4b1fbc7c903b1d396c66d5a37d24808ed4512ced3a C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{59DBC851-7B40-11EF-B788-5A85C185DB3E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe

"C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=SilverRat.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1976 CREDAT:275457 /prefetch:2

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

Network

Files

C:\Users\Admin\AppData\Local\Temp\Cab35D.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar38F.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 263ef293e908a67d3cbd38cddbae77fa
SHA1 56d6afe7fce5a475769d8031a4d0b5d699dc76ff
SHA256 49bc1574af9f42dff5fd1de10cbf6e4c22c2e3a1beffb0d0bc6379dc73010627
SHA512 7b61c5a6df8ce894c24ec797532917a9d43857234d01f56d3f85f865b492b2df606804a35c4c84a0fff2a8aa2f236b4be1bd0f27e2a17f7a584915f92a83f690

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a364d3233c84b7bfd2e1fc1c2dd8d7bd
SHA1 e14839d68b880292882edaf0fd48f0147f53af81
SHA256 ecc98e6da5a6498f8148bef7aac3005ff679736d2d444945e3c7ed3560518767
SHA512 441f816c98989909e99774c8a69bb878f17ee0c3a406058cbef71f6253127bee65df0da43d77decb002c917d9299084e7e7a6e78d029d6e70e69f74958c3c253

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d3698ef0389622cc2223a7be398490c8
SHA1 b45065b49c63367ce2c0a4822ec9cd42ed3f6568
SHA256 fd30709bdfd715eac71805a3b710c848b30fd3f4f4ba24544ea690876a8f2466
SHA512 8b7e1592902564e3ef1134c4e07cd58b639faac1e8ffbdd8d368b6f6c7be3bce0058735feb49f27ea2dc54663aaa33bc79a8f9372ac553110280036dbdeb6825

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4b859b1246486feb907dd93b4dd9d7a4
SHA1 2efcb5d82515ef76e1f1328a14203b693b1552fd
SHA256 8a346ae8ab20a42da2ad149f26b7bfd0b55cc97b8781977959764ae979aa4e92
SHA512 b507aeb7289a5d3a11882742737de95d9c93671e9d4afa1e5364ceceaf8c0d9eb026c00a607e02088c76b4e07ccab5b11e0410c4b0c4c828840c7263a92d6d0a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 34186aedd599d1063c745f3bd40150c9
SHA1 cd9d8ac84ca0a79db1671c67bf18a8ed17ac63c6
SHA256 e44a1b1ad5ad3848ee7f2feb9b03ab19d2f6c2282d85397cf0b78dbd63ba1ef0
SHA512 b5eac553c061100ff725fae4ce08ba335c86bbf388df40ed700af6781c674a96160820608158f9d7414f9040a4cfd3c1a4f8d54922aee1bf5e197253d9b296cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f437c298977fe16ca1c823d342ea5539
SHA1 3ddb732ea5d2db4f8aedc8b12174868e8e7fdc66
SHA256 6582751765ca273c7171131838bf491f2ca5877ffb5493d3416650fcd6b5df50
SHA512 e0d118b15bdde07d1653ddc5cfd166b00b53853fca3b10e45f84aa6762b30d59853d742930b9e4535d285161f62ebfb95bba8fdc4a70b86f9a5bea894ab29271

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e42c0dfb9601f03a768a2556978c1019
SHA1 8420ef20bd1c20caa279f47baae567aba021a8ee
SHA256 539a87f12246287cf4d0e531203cfcbe4e92319c67e70db6975366c02cbdcb76
SHA512 2c62a5cd0d2f44cc5ccded3f6d279802181500ba2ad66c9217601086d813e927c7a3fc75ad0ec3d3d4e169795366b93c7ca1456a557739215646c451d0c3a07a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 821505cc9d81630fa91a8a9d4979dfda
SHA1 62bc41f5abf7ad7c2cd2271b254d137336519284
SHA256 297176fda5eaa1ec243fb74fc4f65161773a769f1e84c692bb6fd018f8036507
SHA512 cb01ebb6cef0bec1739fd9016f47183efb28b703c75d310eee5327da993dc37ee8bc98a4196988398fec21e381d9755177472187b267b2ea012246ca2bfe9555

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bda9f926a1eb8f00a0dca52420f329cb
SHA1 328c5b9e4dcc1ffb9881627c4293102f1e36915c
SHA256 e6f492e3ae7577dab87218df6639e9ec822e7e6ff1d6e13aa973aaa942d96947
SHA512 9f1a687c063829e00b4b9242b0c3ceda568de5645357e8a447c7f5be720ae114ddb2f925b18fe89b318f2ad5b9865d8b0715f48705153f9b4b5197dbbfd25ef5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 920fcbad00451a8dbd8d2c9ea45764f8
SHA1 9c8fb935f7836a38111c8c3acedaaf9e59e8fdbe
SHA256 d97ff3ada346751e4d8200fad0b494942067743800e6bca5c0cfe60bf03d842b
SHA512 2c8e55aa2335717b1d692d0435cc86ca497628b649fa95926cb8e8d302d0cf99578bb36844bca2e7c4dcff53eb2b41fff844be44b2750bb96b52137c95d5bd55

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 23ee0ca63f0855b04ec49698998a9d9f
SHA1 cc4f2839adde52674e7b01937630554971ca00e3
SHA256 3f8eebba942b826dc0989b7c87c96ab3079616d9b483cb76fe77b4cfccc39c56
SHA512 7d7426a7b5a3b2edd3f84fc7cff115c3a235696a6e948b2904481eca3cf4614176102d97d41232e9b5324dcb0f06efa26e244f8d9d00cb7a3e236f900bf74fe7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a19d63c16ffcfa7a8b9aa89aa8516d0b
SHA1 52a447db99159b18e171e7bd05043bd58417403a
SHA256 188b315add81ab8b42f6215b8aafc5dbc59ea17826a6f34e0ca55c95ff9927a6
SHA512 724dbf6b6a6b6be7311b6d5235d5247cbe668345c6d63cc61bd6278f02a4da400693384866cd63db3506f7d92302f2a41ee5e1b6d56f072662dd9be0da337916

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-25 13:13

Reported

2024-09-25 13:20

Platform

win7-20240903-en

Max time kernel

230s

Max time network

231s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe.xml"

Signatures

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Saved Games\Microsoft Games\desktop.ini C:\Program Files\Microsoft Games\solitaire\solitaire.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft Games\Solitaire\desktop.ini C:\Program Files\Microsoft Games\solitaire\solitaire.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e025c82a4d0fdb01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000034fb491e306754a7ebf7ed139840aac20c963cd3edbcd3f41d42654f8ad06f3000000000e8000000002000020000000ef3d16c55881bed70212e627d4c0136e46020df3c58336c62b6517e6fc835cbe900000008be98132ba2f043dd59835b72bcc26462b6f5caf4d8b02d282f295c5aa382c938fde9ee3cb1acfe924527bb259c1d354ad4e6cb70d4a1945c1599e84a6651ad7285bfd01348e7e30aa92c961099808fb6f0546d91a2fc6313cd5ad3c3abb449ffd41cd00cca33216fb2de8d1c12676d131c3ae688e02f10ada5b4ab565df5c74a34ebbaaa539f2bf31bbe10aa969d58f40000000d3f2a9555884eb97fdf0f34db84ebcfa42351c6255931e49bcd712bb609b87976c8863f594ca2c1848cfe7418503c8c2d3205ff56ce3e3d291b07f115cee875d C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000f6160885290c1ffd7aef10690a5c067661bacffb2b8c6ab4e4cb2212556c8073000000000e80000000020000200000009eb73fa119317885a7fe7c63a5c90bea8cdb11f4b993b28dd01f2e67d015070d20000000e8c82e9b79fcff4fff387585be69f36d9e5f5c9bc1f0fc06311cc3ad3c169350400000007e5bc7608dc6d9a8f57af8d16bd422ee6e354d4a81668a97479d74a18e5e298fa703129d43f44550c5af770398655599ef13aa6228e885af1852e17f67405f48 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433432040" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{56509621-7B40-11EF-8C8A-62CAC36041A9} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\GameStats\{8669ECE8-D1C3-4345-8310-E60F6D44FDAF}\LastPlayed = "0" C:\Program Files\Microsoft Games\solitaire\solitaire.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\GameStats\{8669ECE8-D1C3-4345-8310-E60F6D44FDAF} C:\Program Files\Microsoft Games\solitaire\solitaire.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings C:\Program Files\Microsoft Games\solitaire\solitaire.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software C:\Program Files\Microsoft Games\solitaire\solitaire.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft C:\Program Files\Microsoft Games\solitaire\solitaire.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows C:\Program Files\Microsoft Games\solitaire\solitaire.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX C:\Program Files\Microsoft Games\solitaire\solitaire.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\GameStats C:\Program Files\Microsoft Games\solitaire\solitaire.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Games\solitaire\solitaire.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2120 wrote to memory of 2756 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2120 wrote to memory of 2756 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2120 wrote to memory of 2756 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2120 wrote to memory of 2756 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2756 wrote to memory of 2708 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2756 wrote to memory of 2708 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2756 wrote to memory of 2708 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2756 wrote to memory of 2708 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2708 wrote to memory of 2672 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2708 wrote to memory of 2672 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2708 wrote to memory of 2672 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2708 wrote to memory of 2672 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Silver Rat [Re Lab]\SilverRat.exe.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2708 CREDAT:275457 /prefetch:2

C:\Program Files\Microsoft Games\solitaire\solitaire.exe

"C:\Program Files\Microsoft Games\solitaire\solitaire.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x480

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab18E1.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1970.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d7222042b78a4460de3635cf028451b3
SHA1 6e2fe1799c27012c29279f31a0a690e46310e0b4
SHA256 454393aabea50bdf7bee37e379d67008e6380808ada809ac2ae78f7392e7d860
SHA512 01d13a6165bb174701f969650a1688628c66668d25c71c94256ed6bda0a5a53ce862f263f477bd022612d80f3d212c4e292e8092fa622d1f90f6022f8772fad2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ba22d0ea29079fd1ca61d711c2ceae1
SHA1 0eacd58ae0b19871f34ae3734e2062bb252f51e2
SHA256 6c0489d5187b1651422e0e4d544aff417b1031225db9dac24d561241b0755895
SHA512 f66f320a56213d0c0d06f2ac2bfbfcfd2eb24bdf27f52eda77fceacdf41249f89a0f8dca7d70ff45bb18736a96b870b228b87d86478f83cbc8b52993cc12dcfb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f14df5a160497f0b0ef03c078ba9dae0
SHA1 80528d20ed7fe73be940e555bdbe2f7a79be5a77
SHA256 dc75582a95cfca16723a09820aca712b8fe9db963cb1d0d4314ba6ef5cd56994
SHA512 cc9f7c185203938ad43fd95eff94a3394abeb14c986a0c179b4928b1e5dee1e12d2a5ce33ccb32ad3e29f7baa08981b2f4dd49cb9f62a5f89e43dcdb7fba496f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 84f93e4ee866f4aed5d17d25cdc59c43
SHA1 1d458de60ed2f61c29838f4b1a41c851a3a5a60a
SHA256 0568ab391bafec5c87ff08dc5d6e3a3902db298daa626726e077b003e5ca2df7
SHA512 62fb404778a8654308db029c69b60c97c52dabbb44ad3c7e05e83bf4733a44b5a666f092348b929b0bcc60da427fa179fb12175b8c0b649278793605e4f0c0d8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 84b4352dfc1e32f518a9981719e265fb
SHA1 abd1c78095c4f057c0777ee92bbf7b726d2d716c
SHA256 5405173c3b62994d3e90ae754b147cd68f2c7c421ce70d471b19d3efc11758c2
SHA512 98205689ee8e93faa316ffb7e4f424e32d8557bbb84f2353f94f1d9519adbbeea8be7b68575263e3fda5446fe16876a4bedb01dda28d7f65ca1661f3fb1d6656

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f11fa23cfda55f03734b15685d970c81
SHA1 58e9fd22acac9f63deda8d6b8d9bcc5b83a391f0
SHA256 d26d281080a84a6a8617c42a90e7f5f6f479f185b50dea81d7f79e3eac9df967
SHA512 76ff999dd2d413c1c720f167d4fe4a4ee05b14741e3c767136705b862107a91a69171b491a1ecc4bf63068cbe9e85aa900e60661c1189656f634ce8faf60f8f4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bab98165ba247a05c4248ab967c023f2
SHA1 c7ed130b58e3c78e48145f65db292c21dab8df37
SHA256 62e6739fad2f475f90a9925b5ce50ca330dbcee01f8e443d67a327b95124fdf5
SHA512 d7df90e68be061fb2ebfa880ec38c87a3c252717d1f2dede7fdeccf7c29f1ae7220613ed3ad011a5eb7bf303671338bbb181c07991e6dc4de84351f60e6501d9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 95593db64dc4d5dbeb623d3e2ababed5
SHA1 fce1f88378e4cb1b7a1b6752fb0477fe80af4121
SHA256 d3053bed6dd8a7a2a91f25530ade529ed80bc0ee4f6b813dd5d2722d5aa0afdd
SHA512 c9ee31346215a968b88bd8a38365f7e0429575bab00fe00a94beecefbefd112511831e911f99c8c48255cc4b7c0de190127c77cd966e6503913b305c5fbcbe60

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c7da230017464685e7099ec144d5362
SHA1 82f7e9c31efe219061d1db8e00df80af07105fb1
SHA256 f0c2970bf8745f3a27f27a01dbbaf251823bf426af3f36311b5977ebf9b6b78e
SHA512 784ef21e736194e4b530761591c6b5af48b157b0afca4103eb91da7907f600779f934c4e9d9eed099f0002c2af544d8b6b3bc2d872e980b64f050bddb7ae53f1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 713734a66e26623c9841b7aa5c3a9cd1
SHA1 d82e3730ad5a81b917d5550160555d43be718fae
SHA256 0ef247d2cfcf19a5efbb9d56240c06df11aa6fbcca3aef9bf32140f03dc4a970
SHA512 0c480aa4107296778b004103fa7ef70f8da3de623f35143a8b5086a2f35f3712227da38e57880d7f5514076ac16aa989c407fdefa69afb1a2f5260c275600bca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c2613689664815d2284a07243cb951f5
SHA1 8e1a1fc81a5d38ff6ca1d7b079187b059b26baaf
SHA256 c8bb3c4b77ed766a3877f4cd100db630bc9b00ae1f8ee6eff12d9c838a0aed40
SHA512 39cd452b74f0624fb7141ebe1925a4314b60bc33303c45d38a50e48c5382a33f9958001791cd5b0c72646e1856f234a924a24294c0b38e3034606373bd492021

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4cfe8ac67caf17c3e72f484d5efb593f
SHA1 bd94f99e9006e9ba70f82a07a12387b2ea505404
SHA256 b35864e365871adf415ab2312dcb9d9acc0941a8fbfd0839cf8846b6924dcdd3
SHA512 a7c9202a3ee5a3e51738f2b074e738829fa93d1261694cf48d451da9f161b9c5515b5a8ae4f81c430a0ac802e49bbce2d87ba7ba99cedceaf326ab961a14aa32

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 47514d16a7080aae9a4e7f3a84ed2cea
SHA1 6fa8febe4992a29164b05699d3f9bf89c90bd655
SHA256 3ba6514798ead7543dc683977bf6d12726d9bfd1dee8319ae2156ee75a4f1ca9
SHA512 18d0cb72745fcdb55c612a555b3e712d02e8207cbde64b704afcc177c6672284e0fdd66c36638bc87c9e4181174d819767029774cbe80ba3ec6e25dcc46be33a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 37c5d673e46ff23da43dc8b2fcbd61a4
SHA1 b1a3d890f9d746dd7593d027c47eb5a79705f56b
SHA256 025409a04eb412c47527f868a72bcb13df8342a5ecfc3030149c47e3ff92ee19
SHA512 dc37ac360e89e7c798eefad0f09620cd491406233332f72f1600fec4800656074db85196bba5e51c15adbc309a14c5bcfe9563bdaed188e99bb21fb9eb7b5858

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bdfeccc46f774e9ce9f9da4f729b4a6e
SHA1 4eed8151d7e0146bf06dae82a462c3d4925d2ea9
SHA256 1eada9446bc3988f5e0b22b9ad9364cdc90c6f7b9301a005ff895f094da2e944
SHA512 fd03d61a830190fc7908fbb81d121bc8ebf7699f348ecff3a2299c542d13fa57239ad79af4980c084784ded0cc68338253f325175cc11725928e6306691e122a

memory/1996-862-0x00000000005B0000-0x00000000005B1000-memory.dmp

memory/1996-867-0x00000000020E0000-0x00000000020EA000-memory.dmp

memory/1996-866-0x00000000020E0000-0x00000000020EA000-memory.dmp

memory/1996-865-0x00000000020E0000-0x00000000020EA000-memory.dmp

memory/1996-863-0x00000000020E0000-0x00000000020EA000-memory.dmp

memory/1996-864-0x00000000020E0000-0x00000000020EA000-memory.dmp

memory/1996-868-0x00000000005B0000-0x00000000005B1000-memory.dmp

memory/1996-869-0x00000000020E0000-0x00000000020EA000-memory.dmp

memory/1996-870-0x0000000002150000-0x000000000215A000-memory.dmp

memory/1996-889-0x000007FEF5D4B000-0x000007FEF5D60000-memory.dmp

memory/1996-888-0x00000000020E0000-0x00000000020EA000-memory.dmp

memory/1996-894-0x00000000020E0000-0x00000000020EA000-memory.dmp

memory/1996-893-0x000007FEF5C40000-0x000007FEF5D71000-memory.dmp

memory/1996-895-0x0000000002150000-0x000000000215A000-memory.dmp

memory/1996-896-0x0000000002150000-0x000000000215A000-memory.dmp

memory/1996-897-0x000007FEF5D4B000-0x000007FEF5D60000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\GameExplorer\GameStatistics\{8669ECE8-D1C3-4345-8310-E60F6D44FDAF}\{8669ECE8-D1C3-4345-8310-E60F6D44FDAF}.gamestats

MD5 a338c1bb5704e723487ef4f8d5d592f5
SHA1 9b6e89c7fdf4ed588a98b673dcc3073f85eaea5d
SHA256 c096f55238f36481b0e846e37004e813ea0b34ddbc7a94f0155fd64ed4dd5672
SHA512 ab62aac5a5fb6f599616d0998cb8011ca18c0631e42451958af89bcaa8db2b6e179651cb14c94f3f6868b0c8632a4048f8c9e6ba7ea6a31abb168e1362188952