asyncrat | hxxps://mega[.]nz/file/iBEUHToZ#CnRyDll_vI_dkoc8MZFYEJ1fWRHIeS_5JDFSk3qwW6Y

Analysis

max time kernel
98s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2024 11:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/iBEUHToZ#CnRyDll_vI_dkoc8MZFYEJ1fWRHIeS_5JDFSk3qwW6Y

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:3232

Attributes

delay
1
install
true
install_file
silverbullet 1.4.1 pro.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\silverbullet 1.4.1 pro.exe	family_asyncrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

silverbullet 1.4.1 pro.exesilverbullet 1.4.1 pro.exesilverbullet 1.4.1 pro.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	silverbullet 1.4.1 pro.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	silverbullet 1.4.1 pro.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	silverbullet 1.4.1 pro.exe

Executes dropped EXE 13 IoCs

Processes:

silverbullet 1.4.1 pro.exesilverbullet 1.4.1 pro.exesilverbullet 1.4.1 pro.exesilverbullet 1.4.1 pro.exesilverbullet 1.4.1 pro.exesilverbullet 1.4.1 pro.exesilverbullet 1.4.1 pro.exesilverbullet 1.4.1 pro.exesilverbullet 1.4.1 pro.exesilverbullet 1.4.1 pro.exesilverbullet 1.4.1 pro.exesilverbullet 1.4.1 pro.exesilverbullet 1.4.1 pro.exe

pid	process
4772	silverbullet 1.4.1 pro.exe
1928	silverbullet 1.4.1 pro.exe
4220	silverbullet 1.4.1 pro.exe
3064	silverbullet 1.4.1 pro.exe
2564	silverbullet 1.4.1 pro.exe
3320	silverbullet 1.4.1 pro.exe
4420	silverbullet 1.4.1 pro.exe
3080	silverbullet 1.4.1 pro.exe
2980	silverbullet 1.4.1 pro.exe
2532	silverbullet 1.4.1 pro.exe
2880	silverbullet 1.4.1 pro.exe
608	silverbullet 1.4.1 pro.exe
1572	silverbullet 1.4.1 pro.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

2488 timeout.exe
3980 timeout.exe
3032 timeout.exe

pid	process
2488	timeout.exe
3980	timeout.exe
3032	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 25 IoCs

Processes:

OpenWith.exemsedge.exeOpenWith.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\.text\ = "text_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\⼀Ⓑƴ	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\D1 Ⓑƴ\ = "text_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\瑴i\ = "text_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\text_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\text_auto_file\shell\edit\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\text_auto_file\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\text_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\\ = "text_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\⼀Ⓑƴ\ = "text_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\潤瑭敲e顴鯴㨀耀\ = "text_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\D1 Ⓑƴ	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\text_auto_file\shell\edit	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\顪鯶㧷耀⼀Ⓑƴ	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\顪鯶㧷耀⼀Ⓑƴ\ = "text_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\瑴i	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\text_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\.text	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\潤瑭敲e顴鯴㨀耀	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\text_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\text_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 560683.crdownload:SmartScreen msedge.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4064 schtasks.exe
4944 schtasks.exe
2384 schtasks.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 560683.crdownload:SmartScreen	msedge.exe

pid	process
4064	schtasks.exe
4944	schtasks.exe
2384	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exesilverbullet 1.4.1 pro.exesilverbullet 1.4.1 pro.exesilverbullet 1.4.1 pro.exe

pid	process
4748	msedge.exe
4748	msedge.exe
460	msedge.exe
460	msedge.exe
2224	identity_helper.exe
2224	identity_helper.exe
2392	msedge.exe
2392	msedge.exe
4772	silverbullet 1.4.1 pro.exe
4772	silverbullet 1.4.1 pro.exe
4772	silverbullet 1.4.1 pro.exe
4772	silverbullet 1.4.1 pro.exe
4772	silverbullet 1.4.1 pro.exe
4772	silverbullet 1.4.1 pro.exe
4772	silverbullet 1.4.1 pro.exe
4772	silverbullet 1.4.1 pro.exe
4772	silverbullet 1.4.1 pro.exe
4772	silverbullet 1.4.1 pro.exe
4772	silverbullet 1.4.1 pro.exe
4772	silverbullet 1.4.1 pro.exe
4772	silverbullet 1.4.1 pro.exe
4772	silverbullet 1.4.1 pro.exe
4772	silverbullet 1.4.1 pro.exe
4772	silverbullet 1.4.1 pro.exe
4772	silverbullet 1.4.1 pro.exe
4772	silverbullet 1.4.1 pro.exe
4772	silverbullet 1.4.1 pro.exe
4772	silverbullet 1.4.1 pro.exe
4772	silverbullet 1.4.1 pro.exe
4772	silverbullet 1.4.1 pro.exe
1928	silverbullet 1.4.1 pro.exe
1928	silverbullet 1.4.1 pro.exe
1928	silverbullet 1.4.1 pro.exe
1928	silverbullet 1.4.1 pro.exe
1928	silverbullet 1.4.1 pro.exe
1928	silverbullet 1.4.1 pro.exe
1928	silverbullet 1.4.1 pro.exe
1928	silverbullet 1.4.1 pro.exe
1928	silverbullet 1.4.1 pro.exe
1928	silverbullet 1.4.1 pro.exe
1928	silverbullet 1.4.1 pro.exe
1928	silverbullet 1.4.1 pro.exe
1928	silverbullet 1.4.1 pro.exe
1928	silverbullet 1.4.1 pro.exe
1928	silverbullet 1.4.1 pro.exe
1928	silverbullet 1.4.1 pro.exe
1928	silverbullet 1.4.1 pro.exe
1928	silverbullet 1.4.1 pro.exe
1928	silverbullet 1.4.1 pro.exe
1928	silverbullet 1.4.1 pro.exe
1928	silverbullet 1.4.1 pro.exe
1928	silverbullet 1.4.1 pro.exe
3064	silverbullet 1.4.1 pro.exe
3064	silverbullet 1.4.1 pro.exe
3064	silverbullet 1.4.1 pro.exe
3064	silverbullet 1.4.1 pro.exe
3064	silverbullet 1.4.1 pro.exe
3064	silverbullet 1.4.1 pro.exe
3064	silverbullet 1.4.1 pro.exe
3064	silverbullet 1.4.1 pro.exe
3064	silverbullet 1.4.1 pro.exe
3064	silverbullet 1.4.1 pro.exe
3064	silverbullet 1.4.1 pro.exe
3064	silverbullet 1.4.1 pro.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

460 msedge.exe
460 msedge.exe
460 msedge.exe
460 msedge.exe
460 msedge.exe
460 msedge.exe
460 msedge.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

AUDIODG.EXEsilverbullet 1.4.1 pro.exesilverbullet 1.4.1 pro.exesilverbullet 1.4.1 pro.exesilverbullet 1.4.1 pro.exesilverbullet 1.4.1 pro.exesilverbullet 1.4.1 pro.exesilverbullet 1.4.1 pro.exesilverbullet 1.4.1 pro.exesilverbullet 1.4.1 pro.exesilverbullet 1.4.1 pro.exe7zG.exesilverbullet 1.4.1 pro.exesilverbullet 1.4.1 pro.exe

description	pid	process
Token: 33	424	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	424	AUDIODG.EXE
Token: SeDebugPrivilege	4772	silverbullet 1.4.1 pro.exe
Token: SeDebugPrivilege	1928	silverbullet 1.4.1 pro.exe
Token: SeDebugPrivilege	4220	silverbullet 1.4.1 pro.exe
Token: SeDebugPrivilege	3064	silverbullet 1.4.1 pro.exe
Token: SeDebugPrivilege	3320	silverbullet 1.4.1 pro.exe
Token: SeDebugPrivilege	4420	silverbullet 1.4.1 pro.exe
Token: SeDebugPrivilege	3080	silverbullet 1.4.1 pro.exe
Token: SeDebugPrivilege	2980	silverbullet 1.4.1 pro.exe
Token: SeDebugPrivilege	2532	silverbullet 1.4.1 pro.exe
Token: SeDebugPrivilege	2880	silverbullet 1.4.1 pro.exe
Token: SeRestorePrivilege	3612	7zG.exe
Token: 35	3612	7zG.exe
Token: SeSecurityPrivilege	3612	7zG.exe
Token: SeSecurityPrivilege	3612	7zG.exe
Token: SeDebugPrivilege	608	silverbullet 1.4.1 pro.exe
Token: SeDebugPrivilege	1572	silverbullet 1.4.1 pro.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

msedge.exe7zG.exe

pid	process
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
3612	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe
460	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

OpenWith.exeOpenWith.exe

pid process

2164 OpenWith.exe
2164 OpenWith.exe
2164 OpenWith.exe
2164 OpenWith.exe
2164 OpenWith.exe
2164 OpenWith.exe
2164 OpenWith.exe
5056 OpenWith.exe

pid	process
2164	OpenWith.exe
2164	OpenWith.exe
2164	OpenWith.exe
2164	OpenWith.exe
2164	OpenWith.exe
2164	OpenWith.exe
2164	OpenWith.exe
5056	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 460 wrote to memory of 832	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 832	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4624	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4748	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4748	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4896	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4896	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4896	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4896	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4896	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4896	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4896	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4896	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4896	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4896	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4896	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4896	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4896	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4896	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4896	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4896	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4896	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4896	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4896	460	msedge.exe	msedge.exe
PID 460 wrote to memory of 4896	460	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/iBEUHToZ#CnRyDll_vI_dkoc8MZFYEJ1fWRHIeS_5JDFSk3qwW6Y
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa3a5946f8,0x7ffa3a594708,0x7ffa3a594718
2⤵
PID:832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,9668845172897547430,12440008143914428505,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
2⤵
PID:4624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,9668845172897547430,12440008143914428505,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,9668845172897547430,12440008143914428505,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
2⤵
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9668845172897547430,12440008143914428505,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
2⤵
PID:1020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9668845172897547430,12440008143914428505,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
2⤵
PID:4528

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,9668845172897547430,12440008143914428505,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
2⤵
PID:1572

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,9668845172897547430,12440008143914428505,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2116,9668845172897547430,12440008143914428505,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5424 /prefetch:8
2⤵
PID:4116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9668845172897547430,12440008143914428505,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
2⤵
PID:2372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9668845172897547430,12440008143914428505,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
2⤵
PID:2980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,9668845172897547430,12440008143914428505,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3444 /prefetch:8
2⤵
PID:4732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9668845172897547430,12440008143914428505,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
2⤵
PID:4772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9668845172897547430,12440008143914428505,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
2⤵
PID:1300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9668845172897547430,12440008143914428505,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6332 /prefetch:1
2⤵
PID:4296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2116,9668845172897547430,12440008143914428505,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6676 /prefetch:8
2⤵
PID:3240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,9668845172897547430,12440008143914428505,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6248 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2392

C:\Users\Admin\Downloads\silverbullet 1.4.1 pro.exe
"C:\Users\Admin\Downloads\silverbullet 1.4.1 pro.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4772

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "silverbullet 1.4.1 pro" /tr '"C:\Users\Admin\AppData\Roaming\silverbullet 1.4.1 pro.exe"' & exit
3⤵
PID:3204

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "silverbullet 1.4.1 pro" /tr '"C:\Users\Admin\AppData\Roaming\silverbullet 1.4.1 pro.exe"'
4⤵
- Scheduled Task/Job: Scheduled Task
PID:4064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDE69.tmp.bat""
3⤵
PID:4744

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:3032

C:\Users\Admin\AppData\Roaming\silverbullet 1.4.1 pro.exe
"C:\Users\Admin\AppData\Roaming\silverbullet 1.4.1 pro.exe"
4⤵
- Executes dropped EXE
PID:2564

C:\Users\Admin\Downloads\silverbullet 1.4.1 pro.exe
"C:\Users\Admin\Downloads\silverbullet 1.4.1 pro.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "silverbullet 1.4.1 pro" /tr '"C:\Users\Admin\AppData\Roaming\silverbullet 1.4.1 pro.exe"' & exit
3⤵
PID:1572

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "silverbullet 1.4.1 pro" /tr '"C:\Users\Admin\AppData\Roaming\silverbullet 1.4.1 pro.exe"'
4⤵
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE6C6.tmp.bat""
3⤵
PID:1564

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:2488

C:\Users\Admin\AppData\Roaming\silverbullet 1.4.1 pro.exe
"C:\Users\Admin\AppData\Roaming\silverbullet 1.4.1 pro.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\Users\Admin\Downloads\silverbullet 1.4.1 pro.exe
"C:\Users\Admin\Downloads\silverbullet 1.4.1 pro.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Users\Admin\Downloads\silverbullet 1.4.1 pro.exe
"C:\Users\Admin\Downloads\silverbullet 1.4.1 pro.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "silverbullet 1.4.1 pro" /tr '"C:\Users\Admin\AppData\Roaming\silverbullet 1.4.1 pro.exe"' & exit
3⤵
PID:3320

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "silverbullet 1.4.1 pro" /tr '"C:\Users\Admin\AppData\Roaming\silverbullet 1.4.1 pro.exe"'
4⤵
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEE96.tmp.bat""
3⤵
PID:3756

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:3980

C:\Users\Admin\AppData\Roaming\silverbullet 1.4.1 pro.exe
"C:\Users\Admin\AppData\Roaming\silverbullet 1.4.1 pro.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Users\Admin\Downloads\silverbullet 1.4.1 pro.exe
"C:\Users\Admin\Downloads\silverbullet 1.4.1 pro.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3080

C:\Users\Admin\Downloads\silverbullet 1.4.1 pro.exe
"C:\Users\Admin\Downloads\silverbullet 1.4.1 pro.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1628

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x468 0x2ac
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:424

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3024

C:\Users\Admin\Downloads\silverbullet 1.4.1 pro.exe
"C:\Users\Admin\Downloads\silverbullet 1.4.1 pro.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Users\Admin\Downloads\silverbullet 1.4.1 pro.exe
"C:\Users\Admin\Downloads\silverbullet 1.4.1 pro.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\silverbullet 1.4.1 pro\" -spe -an -ai#7zMap1153:106:7zEvent30252
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3612

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2164

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\silverbullet 1.4.1 pro\.text
2⤵
PID:2576

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5056

C:\Users\Admin\Downloads\silverbullet 1.4.1 pro.exe
"C:\Users\Admin\Downloads\silverbullet 1.4.1 pro.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:608

C:\Users\Admin\Downloads\silverbullet 1.4.1 pro.exe
"C:\Users\Admin\Downloads\silverbullet 1.4.1 pro.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\silverbullet 1.4.1 pro.exe.log

Filesize
425B

MD5
fff5cbccb6b31b40f834b8f4778a779a

SHA1
899ed0377e89f1ed434cfeecc5bc0163ebdf0454

SHA256
b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76

SHA512
1a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
7fd93f94481a53c523da85465d74e2ab

SHA1
d708f367f57db589641234360fe2025dfa6c6129

SHA256
f18b52930b2f71995e62cf79c9ee58b502d8dd7a7029f466922dd362e2004231

SHA512
ad48026b6c886bdf7c1dea5ba33f3df9f511435dd941862af0b51f92db917e26d71e432870255b9ebd5fdd2589bdf4317605f3d5284b3e4c78b8c88deb48b0e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6e24fdbdca1cbecf851767e43f7b2722

SHA1
51a3b0e39c0b2532cd6e28a2159d0df09e779bf4

SHA256
23968734e1de34d4a60f48c31d88f25901cf1c1e1b31e1f1d1e1bf2627c156d6

SHA512
6a5a733d2f310e2cdbab6cce75a1a79cb0f26c6302649d8b69dd88448b3c09e7dcd472f9969d8472f15bf520fa8bcc0a8462a88fbf04cf4b2eb2f4a03ad0bdef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
797a28f4dc37d9e297f80810c1474e14

SHA1
b99b4816fe066101e227fd3f229221d363d6dd64

SHA256
740104c3fb8ed99985f5fa948a41d4f9a9df0f3cdc54ca2a0e853e907c1b8128

SHA512
52d5c9d703f67f265e46245658574f660de1c47b0fd04ae892285437ca38df600a9067423525c1d05cbe853d55e665810d61bd7e2356aa47a120c4b84ae90d38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
96a7582112f2417b9cb4ad1cdee73f6c

SHA1
23a5bfe2ce979505c7e11352223e997c5165260c

SHA256
de52f61baf4321db55d5990e2cabf790e5ace10e9b0fcc719c8da72f350ff6b0

SHA512
f22c08f5e1d33191395d62917732285952f401eeae39b32d20ec0f40bc442c24d0a2339d83eda8ccded65e3e4bc6057ba6379d877aac54ea39b6a71af40ef127

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
dfcced46e7073deaf393b6c5b9266073

SHA1
d9e13a6d19aa65d3e0d56e7e3f7613326bee2e05

SHA256
4d3abac9c3e3cf5167a808f604cf1c09d890f030b25806b1e54f33000a26e8f8

SHA512
e839058f8251b0f109844a4fbff36e460511ebbfbb41c395af93474e1fef3297bb92f2b9e2cd9a03dcab0b0faff5c996dac87a8e9ad01c7e8b1ddf83a4685fc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57cbbc.TMP

Filesize
48B

MD5
065fd0d55147690c3fd0e110827c4c9d

SHA1
20144e603c1ce06fff40e64648b2a1e21559ee58

SHA256
cc82f0f513faa0b80af9c2cfde67ffe48a631ea2e2a39fbc450d402b371d5cc5

SHA512
2f804119fdbecaf2a7c0736f55a4f89d0fae3303c312f594d3ef407772e11eb1c747c0f5d769ff69f25baf6f24b54322c0fef014b5b495f392daa06b2245ae22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
48e6306c9c0dc4540f08a38b5cde98dd

SHA1
7c738b26bbaedd7700ae186916cda99a458e2941

SHA256
064f98da89c05dbc1b1b57555f56769dd4fb2bf423d7bbb87ca47da501b36701

SHA512
adf4847144e880736f983c28b74685bfa71af2352dd01635a7f4de16f75b9133bedf7c747a8a0a588f3e683d0fe9c6d655fab59b531c6e9bdc55732642a0637e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
47c0432c1c4b683f5b5f95f678f171e9

SHA1
4c36057683941fcd1eb7de2f11ed1b2e857fe8ad

SHA256
37e17a621693d1bbc10ed9638fe67e334eee481f9b3affa5d9caf0812cee6ee0

SHA512
ac23ae50cee112051603dc690e078c24ea063a201801ab91a165c6d6e91ad7d5e89ec69cf162d5d9fd91be66844efbd71c5c12e7d1ad84f33023be7ab299fc87

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDE69.tmp.bat

Filesize
167B

MD5
08c5aa64a40ade6cb228b6a1c57df371

SHA1
c37b46d5924349dbde445c848ec6600af33240b7

SHA256
01a1b7081d00e7eaa6d7ffe5920c90cf5738fc2fbb380fedcb1545d4c1c07283

SHA512
5e79269e6d24363dfecab5987fcc15f0ea3f4e01c5feaf168dcdd0e8115a18725ad2634b80b8baec650881400665e8e9c223ee6eb7d6328a804e5e15cb76ed27

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE6C6.tmp.bat

Filesize
167B

MD5
90d3af65190b1ea98e922c24e28b324b

SHA1
d7a131c7f5f1d987894d8d76f342d95866682c5d

SHA256
fbc0332963f806c3d484c140f396cf9116a8d81a5a9167d300d90421135675fb

SHA512
bf499234e13e54c0f746703446aafce89421018ca3b09891953d4eb6b53da9ae3cdb573572cf77a0a7e31356f574d97691f49da396d2c294970690f01706562c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEE96.tmp.bat

Filesize
167B

MD5
cd94914fe8aef2d79bc5bb8c4bdd85f0

SHA1
f9d78498328a714db2d78053e1fb6f8eb28ca143

SHA256
3c3812eea1e76ed807795691c6bf730b0d37469116dc76857793f20b86552cf9

SHA512
5f1cdb782faa466fcd004caeb9259e56cfd9a471a8ca15b4c2f601525fedd05288acf660c524e407b24b861cc035b4bbc0a9f340566ada68efbd1fa13e25d623

Download Submit
C:\Users\Admin\Downloads\silverbullet 1.4.1 pro.exe

Filesize
63KB

MD5
f787bb75204f6bd8e0ab92238536e252

SHA1
cb691ce55fd1361ad20a00fc11491c033fa60f6a

SHA256
9b19ce02e4f69f8b4024f41ba410afac5f2959ef1058e4832619b8a18495c416

SHA512
dab348b27668e7115a24c1ab6ceb0a2112267d3e0ad8219a979779115ca84eae711bae20462c093c95bbdcd2371ead15b2d8645c6383169d16036b5ec2101dce

Download Submit
C:\Users\Admin\Downloads\silverbullet 1.4.1 pro\.text

Filesize
58KB

MD5
1ddbd720de366a66733ce644742220dd

SHA1
364b73d307855863d537899f30e33389a23424d2

SHA256
3df3748dc97b29f65a8c7c9f5d4ca8dc5e9f7062ddc674eb93a5161fdb8cbfbc

SHA512
4a1ebacac73a5795f3cd112f149b0ef160f7f2f50b8f98c43b6cf27702f3e4b5c38a563527acee6da350bbdc4c2901bb9dd7021f42df22a45499e1af35d4e74c

Download Submit
\??\pipe\LOCAL\crashpad_460_KRWBILOZPJBTCXHO

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4772-206-0x0000000000FB0000-0x0000000000FC6000-memory.dmp

Filesize
88KB

Download