silverrat | hxxps://mega[.]nz/file/PN4gDQ4I#0kdY_ZhhWBtkDPg6NqLI0jF-Ahc39WSnOZ4VJ8hk34A

Analysis

max time kernel
110s
max time network
107s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
17-12-2024 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/PN4gDQ4I#0kdY_ZhhWBtkDPg6NqLI0jF-Ahc39WSnOZ4VJ8hk34A

Score

10^/10

silverrat discovery evasion execution persistence trojan

Malware Config

Extracted

Family

silverrat

Version

1.0.0.0

auto-london.gl.at.ply.gg:51655

Mutex

SilverMutex_kTAAZjMenK

Attributes

certificate
MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==
decrypted_key
-|S.S.S|-
discord
https://discord.com/api/webhooks/1253749007772160090/mxExcAUGlJgTCbYOk_u7JJAnNpsIhMne5e0PjqkRY2MV_40Bgpix2Ezib84aFxRmN66j
key
yy6zDjAUmbB09pKvo5Hhug==
key_x509
QnZ2VW1rTFlUa09ESXhCRkdHYURSSlBBdk5SQk5J
payload_url
https://g.top4top.io/p_2522c7w8u1.png
reconnect_delay
0
server_signature
RMCh38rJRIwRMYf2Sbpd9BzSePeTpscme+fLNDX9Bf6O5IR+EWvJS971m1lprJ/vpdLYQPZIImuX69267sqtVY2b3yH1lw7e7EZaXIHsGFR2uyeUjLQeAjD47DWaaKkGg8wKKEQ7AX8lBa1tYmqDorMfwQ9K2xlGjrxnS9ZotbBaz/KmFDUSwnUEWc6K5tKdqXQ5scv4Iejt9hGqjIxCo1c3AyRwr1eezKhGK66t4Y1aPVfqkIwuI23vWEPPjJYRDn5dWq5EykrPUBvH+OORD9xrQmM63F/gLb5d5/LlrOqSfkd5/yTv8YROpQfzMAYH5k10o6P4I+oBlGpJ9MwzL5Y4JBHSJyiG/m9XuEYKxe1zgffuIhU/xo30i0YC/hkKd5U8BP5k6PdZg9OLI+a8k7sa4/Sk/9Zkjx27VuOZdZs8IMP9t8mumexIqz2fvkwSO79gNHehbK8Y1feAFrlzCMoxK06XKuMRCyGOPse3sNm57TPHUBbk5yhteOGujQ9402QViU3tL9ZQR4rN71H4CBlNHaHbc0PO4+WhgxaAkr3W2/OOCyoaGrX1Kv18VFwwqB9Gqj0wG0MsA+femZUx/+SY41jQ715JwPCrD4aNkKu7xrjYnii+JjVsgNqaLVOhWv1VjL3qkCJ9kf0c7ob8qNOXaePlpZmHsWg/fgChnAk=

Signatures

SilverRat
SilverRat is trojan written in C#.
trojan silverrat
Silverrat family
silverrat

Sets file to hidden 1 TTPs 3 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
3476	attrib.exe
4724	attrib.exe
5156	attrib.exe

Executes dropped EXE 3 IoCs

pid	Process
4752	SilverRat.exe
1252	Fixer.exe
980	$77Runtime Broker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\hgfdfd\\$77Runtime Broker.exe\""	SilverRat.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5304	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
34	discord.com
60	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2064	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\SilverRat.V1.5.rar:Zone.Identifier	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5404	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3180	schtasks.exe
4264	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5052	msedge.exe
5052	msedge.exe
5856	msedge.exe
5856	msedge.exe
5420	msedge.exe
5420	msedge.exe
4604	identity_helper.exe
4604	identity_helper.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1504	msedge.exe
1504	msedge.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1996	Taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	1996	Taskmgr.exe
Token: SeSystemProfilePrivilege	1996	Taskmgr.exe
Token: SeCreateGlobalPrivilege	1996	Taskmgr.exe
Token: 33	8	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	8	AUDIODG.EXE
Token: SeRestorePrivilege	4268	7zG.exe
Token: 35	4268	7zG.exe
Token: SeSecurityPrivilege	4268	7zG.exe
Token: SeSecurityPrivilege	4268	7zG.exe
Token: SeRestorePrivilege	872	7zG.exe
Token: 35	872	7zG.exe
Token: SeSecurityPrivilege	872	7zG.exe
Token: SeSecurityPrivilege	872	7zG.exe
Token: SeRestorePrivilege	720	7zG.exe
Token: 35	720	7zG.exe
Token: SeSecurityPrivilege	720	7zG.exe
Token: SeSecurityPrivilege	720	7zG.exe
Token: SeBackupPrivilege	1776	vssvc.exe
Token: SeRestorePrivilege	1776	vssvc.exe
Token: SeAuditPrivilege	1776	vssvc.exe
Token: SeDebugPrivilege	4752	SilverRat.exe
Token: SeDebugPrivilege	1252	Fixer.exe
Token: SeDebugPrivilege	5304	powershell.exe
Token: SeSecurityPrivilege	1996	Taskmgr.exe
Token: SeTakeOwnershipPrivilege	1996	Taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe
1996	Taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1252	Fixer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5856 wrote to memory of 5868	5856	msedge.exe	78
PID 5856 wrote to memory of 5868	5856	msedge.exe	78
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 4548	5856	msedge.exe	79
PID 5856 wrote to memory of 5052	5856	msedge.exe	80
PID 5856 wrote to memory of 5052	5856	msedge.exe	80
PID 5856 wrote to memory of 3952	5856	msedge.exe	81
PID 5856 wrote to memory of 3952	5856	msedge.exe	81
PID 5856 wrote to memory of 3952	5856	msedge.exe	81
PID 5856 wrote to memory of 3952	5856	msedge.exe	81
PID 5856 wrote to memory of 3952	5856	msedge.exe	81
PID 5856 wrote to memory of 3952	5856	msedge.exe	81
PID 5856 wrote to memory of 3952	5856	msedge.exe	81
PID 5856 wrote to memory of 3952	5856	msedge.exe	81
PID 5856 wrote to memory of 3952	5856	msedge.exe	81
PID 5856 wrote to memory of 3952	5856	msedge.exe	81
PID 5856 wrote to memory of 3952	5856	msedge.exe	81
PID 5856 wrote to memory of 3952	5856	msedge.exe	81
PID 5856 wrote to memory of 3952	5856	msedge.exe	81
PID 5856 wrote to memory of 3952	5856	msedge.exe	81
PID 5856 wrote to memory of 3952	5856	msedge.exe	81
PID 5856 wrote to memory of 3952	5856	msedge.exe	81
PID 5856 wrote to memory of 3952	5856	msedge.exe	81
PID 5856 wrote to memory of 3952	5856	msedge.exe	81
PID 5856 wrote to memory of 3952	5856	msedge.exe	81
PID 5856 wrote to memory of 3952	5856	msedge.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3476	attrib.exe
4724	attrib.exe
5156	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/PN4gDQ4I#0kdY_ZhhWBtkDPg6NqLI0jF-Ahc39WSnOZ4VJ8hk34A
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0x48,0x10c,0x7fffc62d3cb8,0x7fffc62d3cc8,0x7fffc62d3cd8
  2⤵
  PID:5868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,5923807288226146898,4834123912459332268,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1836,5923807288226146898,4834123912459332268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1836,5923807288226146898,4834123912459332268,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
  2⤵
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5923807288226146898,4834123912459332268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5923807288226146898,4834123912459332268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:6032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1836,5923807288226146898,4834123912459332268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5420
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1836,5923807288226146898,4834123912459332268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1836,5923807288226146898,4834123912459332268,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5923807288226146898,4834123912459332268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:5908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1836,5923807288226146898,4834123912459332268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6048 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5923807288226146898,4834123912459332268,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
  2⤵
  PID:5816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5923807288226146898,4834123912459332268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5923807288226146898,4834123912459332268,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2888 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5923807288226146898,4834123912459332268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:6048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5923807288226146898,4834123912459332268,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,5923807288226146898,4834123912459332268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2580 /prefetch:1
  2⤵
  PID:3168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:252

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:4076
- C:\Windows\system32\Taskmgr.exe
  taskmgr
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1996
- C:\Windows\system32\Taskmgr.exe
  taskmgr
  2⤵
  PID:1956

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004B8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:232

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap6010:90:7zEvent12326
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\SilverRat.V1.5\" -ad -an -ai#7zMap5489:90:7zEvent17287
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\SilverRat.V1.5\PASSWORD.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:5404

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\SilverRat.V1.5\SilverRat.V1.5.Re.Lab\" -ad -an -ai#7zMap27113:134:7zEvent31160
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:720

C:\Users\Admin\Downloads\SilverRat.V1.5\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe
"C:\Users\Admin\Downloads\SilverRat.V1.5\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4752
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:3476
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:4724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2522.tmp.bat""
  2⤵
  PID:4280
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2064
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe"
    3⤵
    - Executes dropped EXE
    PID:980

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Users\Admin\Downloads\SilverRat.V1.5\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\Fixer.exe
"C:\Users\Admin\Downloads\SilverRat.V1.5\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\Fixer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1252
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:5156
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks.exe" /query /TN Fixer.exe
  2⤵
  PID:4648
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks.exe" /Create /SC ONCE /TN "Fixer.exe" /TR "C:\Users\Admin\Downloads\SilverRat.V1.5\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\Fixer.exe \"\Fixer.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3180
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks.exe" /query /TN Fixer.exe
  2⤵
  PID:1008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5304
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc hourly /mo 1 /tn "Runtime Broker_Task-HOURLY-01" /tr "%MyFile%" /st 00:00
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d68c7edc2a288ee58e6629398bb9f7c

SHA1
6c1909dea9321c55cae38b8f16bd9d67822e2e51

SHA256
dfd733ed3cf4fb59f2041f82fdf676973783ffa75b9acca095609c7d4f73587b

SHA512
0eda66a07ec4cdb46b0f27d6c8cc157415d803af610b7430adac19547e121f380b9c6a2840f90fe49eaea9b48fa16079d93833c2bcf4b85e3c401d90d464ad2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c03d23a8155753f5a936bd7195e475bc

SHA1
cdf47f410a3ec000e84be83a3216b54331679d63

SHA256
6f5f7996d9b0e131dc2fec84859b7a8597c11a67dd41bdb5a5ef21a46e1ae0ca

SHA512
6ea9a631b454d7e795ec6161e08dbe388699012dbbc9c8cfdf73175a0ecd51204d45cf28a6f1706c8d5f1780666d95e46e4bc27752da9a9d289304f1d97c2f41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
89587750483c75dd896b25f5235e895c

SHA1
9003cc58b3d4fee1b8c3ae5f5f59f230182f86e8

SHA256
5d3d11db85a60ba530cd2d9cfcaa6ebb4025ab72cd21e7b88d0ab6ac91d75f61

SHA512
9da6fa49932b8def361eed98058a90af67f08445ef034b41336c743b5144e6126a3584ee73757d7f0fae5ad426a0d2708ed4eb554947113c8649355d01c45113

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d7549ca623302e5e8369d945048ba69c

SHA1
f4d53730def8388c00a50297a5801a4eac9b80b3

SHA256
78551a7e7f6f9d8584b70960c92f648728d2185fd66d94ae16029c3191aa423a

SHA512
65b5eecddddeaedf01404437f417c8d431e31f0d6543681e79810598f5f591e8d22a441f0b0615e071b6ac81275171c10ddce7be162feb3e97b08535be5d600a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d6d343702db2d6288351248817e2e400

SHA1
aca9e23b8360bd1d538451ff3e1012f836d8270e

SHA256
b6643e260b0704b593179c54fd01b9a4abaf9e8e29183bb0418a2ee71be12b26

SHA512
d0730ae39030554ef74a00dfc51b185db208702381a73a9084a2bebf9021c2d43b20a5f0ccb26c6e5a1a96c001bad7727576c2f447ea3ef560a23cf1f7d61638

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a0dcb385fb739727f3ab8936e1f0fdb8

SHA1
7785f6eccc0940ea8c62c40335332dbae63e9033

SHA256
5e590244ca1c9b041260ae5676da7460f4632b190e216293141f0f5a3327c902

SHA512
0f465ac4db784c5b12b014f192e64ace843a4ce42d44a1c5ca9ce82d0f8954877ae9eb3ef45caf02f404c06ffad3dbb25b523931d866a0b13d8230c0956848a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
40e0683c7f7a394c7e51b756b87425f2

SHA1
24769f921dfe1d7f4d29896ececbe15e4863f992

SHA256
96c077895e52b83e4cf6e26cb62a371d36c1255f5c49b1ea8acd00e8f5cc710c

SHA512
fb88cb5df2ea10f620911fad48e9aa1f96c9c4224619f1b4d37705f9989cc1e4993da00b1ef0395ac389f2f123dda9a11ad7948fab96b8752064b3c1af39c8e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f721.TMP

Filesize
48B

MD5
1b027d199a87d1321466890f55c214af

SHA1
97e942476b982941a556f8cae501a0c1ad97bdd9

SHA256
919b5bc38443c5d3404014b654743f472aef355316683a82767f5f2709ee32b3

SHA512
ea00edbf778e6f9ee881303687d3fe6468ee6250486672681f2a361fc85cefa40947aeb7e25f61f88a688116b06e60c01e0bd72183c1a787f1716bca694f3b9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ea28944c-ddbd-41a8-bb52-e49793ce5f7d.tmp

Filesize
6KB

MD5
f6f6b1f9272315ae30372f9c0d7cfde2

SHA1
78d436eff3421e1eed17e7a2c1139052848a320c

SHA256
233c9a39fbc323abc4cab36105c28e7747211707390dd802a48344b976c7d29e

SHA512
616950599caac56113f845b77e0e75be2e4a27e92afb4b8479801b89d8d03a73bfb0de225d4bba28e663f011be96f318adde8e5a36c5bb8b76faf7edec23f934

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
600d71c54a7e87f4cb1a801133e2d420

SHA1
c1c6d7f6c41b5e19404b3cead612f3a876257121

SHA256
1b6566da2013b07c7151a49c8698fa1a8f674358e94ae57828d314092324fab1

SHA512
fadd5bc118eabd15ada182fce448fc561d7206022a581bc101032a7bcd58ab0898681ae6241e2393c7e95633e72da6b9c2a20db6d2c978fc43df0f5a3b6d7daa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
156e4db67ff4320ee8204bf8f9dbf252

SHA1
4edc512ad5134a197d148c133afca761d1814ef9

SHA256
e6cd13c61c438ef4b5bdc3edeb97e372ffb598dfdfe66d41272e5dac41e596eb

SHA512
5462eba8be0ceb7fff819735b38bf839ffe0d5185f530c0d86a310a1a0a8b65a01369e7e47eae7688800b3f42346afa5df0d18225bb119d051632259c8a8dfcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6d2712478f48990419d66fd1647db62b

SHA1
033551245a8270cf71ec31e81d184e0d9b6e876a

SHA256
f7150395fcb9d2e869b1d25d40de5ed029eab528324a51f9427719a4f36021eb

SHA512
000cf4b08ac1dce541bd52477caaa02c9e31d25d9864171f55b4b5eec9ecf7046df10c089d45ca0831416b4d8ed126af2341584654109a466f166698475e255d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a23uqmdx.f0l.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2522.tmp.bat

Filesize
196B

MD5
3d6d6daf7c57f561c652689f77d1268d

SHA1
f0d74525f04f37fd9be2ad138bc36fbaf19058f2

SHA256
482b81045e15a4da52f0224619224383f44138cb7aa5d94beab33fd891200ce8

SHA512
679ac7b84d36f8086f1124beff177f57af72efcc53f68f7a123a0a55d8362241d7f1f0d4b08ce74ad992961a8f3f924fd00dbd592eac6cfd2aa5cd7f4d7d0c03

Download Submit
C:\Users\Admin\Downloads\SilverRat.V1.5.rar

Filesize
5.4MB

MD5
98e17376564e59ef92ebb3c86fdfc2b2

SHA1
fc8e9a0f70fd1402ad8ea4dafc59b2064ab3da44

SHA256
bef64e21cbc611550b7ac61d9323858cdb845f1307d6466b93b6bc7a1088c4eb

SHA512
79dd6d9c84702995f011f163d85433425360a5430890293c7a29df27b4af61096c8d687f2d7e8c69bf692d470042a52b14319fa465661562069ca588542cf1b8

Download Submit
C:\Users\Admin\Downloads\SilverRat.V1.5.rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\SilverRat.V1.5\PASSWORD.txt

Filesize
80B

MD5
2ac0fc5be470980cd28b52c281cfd331

SHA1
0f1ee5a9219c93af32a35418f3e0f62b4bd0208b

SHA256
5f2d5bb3b62f9000ac18b6da532ddc2b8b99b2b05b5def30001f00bf053b4778

SHA512
abe318498702759d860375180b0f109a2e0badf94aa19db7a3df073954cc686febc0192d5b9180b3867b0659c0e447207d668b91e0d0189d1f2eaddc741a2c4b

Download Submit
C:\Users\Admin\Downloads\SilverRat.V1.5\SilverRat.V1.5.Re.Lab.rar

Filesize
5.4MB

MD5
771bd2e1c6a95d3d1ca532ef231728a4

SHA1
c453be4365b2f26655c39ab5a539ba165d3f3ca5

SHA256
294092e9f3e169221b6d7ab142106974b481d253023b9cf43e687ceeba302106

SHA512
40cb9aa1d25e9a3227bbeca5dedd7fb9b36868568fababc8ea953816a41d113001403915b4c52a1996f28ce3460e958f4627204a0f6ae6091416fd5e94ac6070

Download Submit
C:\Users\Admin\Downloads\SilverRat.V1.5\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe.config

Filesize
526B

MD5
d6f1152d647b57f64494c3e1d32ede94

SHA1
a35bd77be82c79a034660df07270467ee109f5ac

SHA256
a47f3f83cdb9816f03632833dc361ac5e7a4c5c923af1fdebfa16303f9d68a72

SHA512
699b5ad93d3497348f8aad8e15d54ddd789bbac43f11a7fb629f19cda3749bee0ae06dc83f4e6246df631488169fda5d15c48585581d3a96d2523b8b45e639bd

Download Submit
\??\c:\users\admin\downloads\silverrat.v1.5\silverrat.v1.5.re.lab\silverrat v1.5 [re lab]\silverrat.exe

Filesize
45KB

MD5
545d64cc91e4da6339a70d54a2443c5d

SHA1
f03344ab824c7cf0f73dcc86aa34cab36e2e54e7

SHA256
04109cb3426408945bea79e8e355285fb5bf93224b5b2775a5f6ff6c1e992b5f

SHA512
733154a7f76840fad3ead2af149cf708807878ef3f08c62232ee3cdc0b7e6a4b4dc338103569daf9f755a6549475df15b34b7f223929348001d4086e83371681

Download Submit
memory/1996-162-0x0000023FBC5C0000-0x0000023FBC5C1000-memory.dmp

Filesize
4KB

Download
memory/1996-168-0x0000023FBC5C0000-0x0000023FBC5C1000-memory.dmp

Filesize
4KB

Download
memory/1996-169-0x0000023FBC5C0000-0x0000023FBC5C1000-memory.dmp

Filesize
4KB

Download
memory/1996-171-0x0000023FBC5C0000-0x0000023FBC5C1000-memory.dmp

Filesize
4KB

Download
memory/1996-170-0x0000023FBC5C0000-0x0000023FBC5C1000-memory.dmp

Filesize
4KB

Download
memory/1996-173-0x0000023FBC5C0000-0x0000023FBC5C1000-memory.dmp

Filesize
4KB

Download
memory/1996-174-0x0000023FBC5C0000-0x0000023FBC5C1000-memory.dmp

Filesize
4KB

Download
memory/1996-172-0x0000023FBC5C0000-0x0000023FBC5C1000-memory.dmp

Filesize
4KB

Download
memory/1996-163-0x0000023FBC5C0000-0x0000023FBC5C1000-memory.dmp

Filesize
4KB

Download
memory/1996-164-0x0000023FBC5C0000-0x0000023FBC5C1000-memory.dmp

Filesize
4KB

Download
memory/4752-390-0x00000000007D0000-0x00000000007E0000-memory.dmp

Filesize
64KB

Download
memory/5304-401-0x000001DBD9830000-0x000001DBD9852000-memory.dmp

Filesize
136KB

Download