Malware Analysis Report

2025-03-15 01:14

Sample ID 250213-bgx6cs1mhy
Target SilverRat.V1.5.Re.Lab.rar
SHA256 294092e9f3e169221b6d7ab142106974b481d253023b9cf43e687ceeba302106
Tags
silverrat defense_evasion discovery execution persistence trojan adware privilege_escalation stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

294092e9f3e169221b6d7ab142106974b481d253023b9cf43e687ceeba302106

Threat Level: Known bad

The file SilverRat.V1.5.Re.Lab.rar was found to be: Known bad.

Malicious Activity Summary

silverrat defense_evasion discovery execution persistence trojan adware privilege_escalation stealer

SilverRat

Silverrat family

Sets file to hidden

Downloads MZ/PE file

Boot or Logon Autostart Execution: Active Setup

Loads dropped DLL

Checks computer location settings

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Command and Scripting Interpreter: PowerShell

Adds Run key to start application

Checks installed software on the system

Installs/modifies Browser Helper Object

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

System Network Configuration Discovery: Internet Connection Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Modifies Internet Explorer Phishing Filter

Uses Volume Shadow Copy WMI provider

Scheduled Task/Job: Scheduled Task

System policy modification

Suspicious use of SetWindowsHookEx

Delays execution with timeout.exe

Views/modifies file attributes

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Uses Volume Shadow Copy service COM API

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Modifies Internet Explorer settings

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-13 01:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-13 01:07

Reported

2025-02-13 01:23

Platform

win7-20241010-en

Max time kernel

896s

Max time network

904s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\SilverRat.V1.5.Re.Lab.rar"

Signatures

SilverRat

trojan silverrat

Silverrat family

silverrat

Sets file to hidden

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\hgfdfd\\$77Runtime Broker.exe\"" C:\Users\Admin\AppData\Local\Temp\7zO81B8CED7\SilverRat.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\DPX\setupact.log C:\Windows\system32\wusa.exe N/A
File opened for modification C:\Windows\Logs\DPX\setuperr.log C:\Windows\system32\wusa.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\system32\wusa.exe N/A
File created C:\Windows\wusa.lock C:\Windows\system32\wusa.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\system32\wusa.exe N/A
File created C:\Windows\wusa.lock C:\Windows\system32\wusa.exe N/A
File opened for modification C:\Windows\Logs\DPX\setuperr.log C:\Windows\system32\wusa.exe N/A
File created C:\Windows\wusa.lock C:\Windows\system32\wusa.exe N/A
File opened for modification C:\Windows\Logs\DPX\setupact.log C:\Windows\system32\wusa.exe N/A
File opened for modification C:\Windows\Logs\DPX\setuperr.log C:\Windows\system32\wusa.exe N/A
File opened for modification C:\Windows\Logs\DPX\setupact.log C:\Windows\system32\wusa.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\system32\wusa.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Modifies Internet Explorer Phishing Filter

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 488f7b84b47ddb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PhishingFilter C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\microsoft.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TypedURLs\url3 = "https://login.aliexpress.com/" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\support.microsoft.com\ = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TypedURLs\url6 = "https://twitter.com/" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TypedURLs C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\support.microsoft.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a00b9e10b47ddb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TypedURLs\url5 = "https://login.live.com/" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\support.microsoft.com\ = "124" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\microsoft.com\Total = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url3 = 0000000000000000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url1 = 10830a26b47ddb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009cdd10427482b34dbf1e0607871af3f30000000002000000000010660000000100002000000082cf4032a1002cfb6a92bfcfcd72017b7662294e9ce0c1e4abf633f7d02de5b7000000000e80000000020000200000002304ea9c2facddad2453feeaf0270364f7ce27c5793797dc48a9a22661448cac2000000062a067c77e8fa559ea4971c629071e4aaf181e5623d5a2d3ba480d36df2332fe4000000008c9eedfb4cb0c5406dd382cb66ce4367b3c7aa1a1d5e3c1126ddeee13cf0693b564facd7f84c85a64491697f3d11bcb50830219c11460e1fb1bdd6f405437c1 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url4 = 0000000000000000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\microsoft.com\Total = "124" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TypedURLs\url2 = "https://www.facebook.com/" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009cdd10427482b34dbf1e0607871af3f3000000000200000000001066000000010000200000008b93788443b6e794570a820760055115ce687c408b228db821410021cf8bdde3000000000e8000000002000020000000c80f1b7cfc78364bb4500ca26859b290f362eb938ccb83452391bda4bcb7649990050000e405fa0e86f563b45b766c4ccb0e78aa37a15070fd3eb09e03a15874c5f6a8377e125c606a7aeaf6948a17bebd98621b4c03e0f7d8604be67eeb37db859de8f26a1133476b180f1f25a8d6a616ddf0ec350e725e9d43f18c1921b7191e33e75aca65c18e5a9001520a96430c91edc7c44d97d1f35e8f580f1fab8252d0619026a44785921034abfbfcb797064e0d9d21d3d8a988abac859512d31f43d2b55ae5ea5661b1e8b7d227321a2e182666b5b84ca00ac067c2b63690efeb7d99b012573a2afdaa3ec58e36bfe6791b29e3e7f53e4ff3cbd21e5a5c7ac94f8dc1b92e101fccef23a02a68bcd23463157b66f94e2f13f3a6cb48c413b3cbfb30b2ed2aa7611ee73f4bc33b8ba0ec2818957e457a8ecb14555d1bf105b433f2a65ba9532bfc9ad993e12c1dce003f193b174b47eea716b379346de044235fa3446ae11e3ef18063741b86df256f6484f9d8a993e53530256aa8854c12f0203f31721a3033564934a93906bb46398de982ff32a5caad30d74669333599ab3dc237d62bf7eb4b65e197855c9938c4678b7ca45fedcbe3e1d830bb18e4aba343d86fda2645590e9e6d38dcca570a634dc265e179bb0f6fb13c74294df7e1b3bec60805b8276c5bb20cce93a7a986d600e332325037e6b11d9574bfce5c5ca3a62665bf90e7fb9ae7a411b44505d0a92930426fe1b1104eef05c2a2764d18be6985625e078322a11590c7510f83b77362baa362fbadc0b82aa750619fb7cde4948624e483077341ef47e59d0846cb6c8fc571d06b4627a823ffeabaaed781a1405379e74f999ad759d3975c3a624ac74f4ab471a3240942c0bb7b617716a51dc6de981c9134d6ce0dae9149facf14b627e2214a7b10c1899bf3aeef3bf2fd81d4428938379485f7e54e973c8fd68c3b974c13938a9200bf523f7f7bfe9f058a4989bcd59bb45479c6417d33afc5a03dc397a12142b2968186df8a6151843453f120b3f21faa5642a8f748a290c8329a7847715653b320b7105582ed70df5345b94178c37cc0d99826bc152f4f327ea9b330f81296fa07d8b955019511115980499f9e84d3802709c0c6dca7b489d25d4b9a8f56fc47dca93ab2bd3e21701976dee1a64938ebd507d7c7ae1c2ab1e27dccba66fd8092ad7365d582c94d78c6660f6d2306d16346d2962cf610a1f04d251021c5ba7ef61ea5e977268ed093f1e5a948879d6195bb6f4e54393039c8406a141c221d6619700471051337bdd644eeaf60216a6ee29e17fe255442bae68423985a30a54e0939c3cbc75ab327916d6865e55ce015c1e6c0b94cf049010cc965fbe18eaf34c1875d7771cf9906fa50ecb5262ba8d922279de9079a163504d3cc6f8dd240c9753be454b2abb1f85a638e6e087193dd721ddf75f76e904c23e34d791c6ef56f8a9a920a78ad9741e359cfcc16a750c4fb961536f55241984d68aa7a458189c783185163996d5f4373a186f5845def98f2fb349bc76ff58122edfbc58cae28403cdb6970c2026624db02d41df4ecd9ed92fd5575e371669ab5c781ee96eec9b9f08aec916c1fe11c956a6cba3dcda53ab6aa5d29693418535b8df3ce70a1fa1bb37ce669e96331a9d4ed4794867047885ec1ba6e91678622e37b3e938862b0d80944cfe515002fcdb8f6b35bb7e2f563fa00bc14893485f1e4b56d8d48b920dfcdd765b817898d196793e6668bad95fea67b7bc88afd3c185c2ccab2d2d37478ed590bf8415f54ab8ab4b1646d7f8f47795b232653634e32912224d5e3952ef472bbe59a6c9920e6f9211fc9361edc4497b47c74a747e6e74e7dd2fea4f80aa6f58c65e337d3abc4f6de6cac3d3107fddc035df440bfb2b9337c2993cb306110a77d95275f7dff8fb36f38c75ff8d70fd6ed65f9ea7cf02448151ec4aa53fcc9dacde27e54f292e6f4073ac7f63b70c52f956599fee56ad19648f50592270e1314ccfa4f50683e64586cc09ebd2acd93569c265b270751d3745a54e7fe1f07965bbe4000000084a1314588df86aca414bf540acd7f06bd4be058e9121740cf87d5fdeb1adf9b0e15ef53a17c20c2fc0057cce1fd1f105091683f6adf85a5cd36ac3a2fc0e648 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url2 = 0000000000000000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\microsoft.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "124" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009cdd10427482b34dbf1e0607871af3f30000000002000000000010660000000100002000000008925c9f7d7b540b0754870d05494ba14a40ca4933c5b348f35f6a54f2421e85000000000e80000000020000200000001c6765632b9445378a57a40f234acc144718842430a6c038533ff851fda72af57002000083cd905e0836b0f9d97e1c83681ae5e2257654c849f6ff29b9e32b1c3cd05f34bf614ba808c6f66eb074fd96c58c52b3cb5d5eb97ad96d5e0ae2e1c6246639f39ef342c26ca73d90af496aa64e4b9b0a3b1902c081ffef84403cccb7c5efec652d4458bdd785e1cef1dc9853cc169499f23b24cfb8ef83dae8145cbf240131ec5b47f780e497e654e08f11a70d99f76c25d1323b9f8f416d7a527a042da01152d5a76bc5c5756eb62848556fa04dc701c91850049e5b3217d939dfa445035edd00e0ed8af0028fcfe18afc891035030836523d18d441715a6ac645d8bec719718cf53543ae9e24c68810faf3aa2a6485e7554dee5f46fd964b909e8fb10ef0f4148528c379f8137e7afc3444ba6861c3b4ccc4a6509ac38da9099876eeec89e480a132e40061f914467b061db20d685c5b0de9582afe3d782b3f7e2b8456861280b795f8834eb6d50e54e6b87d4d7744570f16e73e51df9cf64ac862e8430d6910b26d2b7e53c3698092f4203a4011d5a80fd113c1a2cf643890caf69e70fbfb9e124c0cc9e9f42ab450fcf2a052ff9567c6130601bb33ce916ed128e02e472aac96f1481088036bebfbfcd41c5df8fdaa742215600790644a0fc9f4c9af9b48e10e692f114807c25d4a404e729a7636450dffde9cdc0c4c392b82bf0999adba90488c35efc5deb5da865308b47d576999676448f85952bf7b2a325996e62504758f8ef2450dffad5703f10d5c02e8a12df137a0a71f63f183e4ee33d270cc9add078d10add00b634bda0a4f374275e06b5e4bb0ff2a92bc6c5c0e2b3086a59064a9e63806483d2b22d7844de53788334c97411c7eec9a7965c7ee02d15640cec3bb5c9ff4c971d5acbcb17fee31f2b64000000003b124ea9b843da6a819ad9906215e596c8c9b34dc73d90d0e11167c21d8ac4fb7b7922254f14ef19469bb661b640d81e96329c744c23dd2d017610ab5a9f842 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "445570849" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "https://dotnet.microsoft.com/get-dotnet/dotnet-framework?tfm=.NETFramework%2CVersion%3Dv4.8&processName=SilverRat.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TypedURLs\url4 = "https://signin.ebay.com/ws/ebayisapi.dll" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TypedURLsTime\url6 = 0000000000000000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009cdd10427482b34dbf1e0607871af3f3000000000200000000001066000000010000200000003aa1e56f8e9da085e49a30b99f4b83c26d6c31439b9def1fbc5e9a83d04ddf92000000000e800000000200002000000011cd6e830d8bfa76a6a758dab0fab2dadca9e0f951f86f1c5fbe958c21020f58900500008d13ebff3ba8efe912e0dbd5ca5aa3b77ac3fbb80b6c187c7a9e02eb8585458833ec6fc22de15726f48a29831511a5f66746c58bc21d8d71f01b1cae0d60db168c28fba142f1c8812117141ab3bca9415216739b3f716c5b7934d4d1810a1cb4f3990dd39b98863c5e068b2c66f5b252fd2ec41a777b8fb513641918557bc7b1f44a68da2adc39566991302b730a184c5be4e5105bca3a34ca12e9da4d9bf0728ad1ba79c6570380f81ef7d0663d3b12e6059dbb45f035c019bc6d807300105ec2b5e6b03b908311cdcdc9d18feb0618e409b653c24a97b13255a70a7c036f9e2431455cb82c1d29a0e68eac496c05d104fc7f2393810d8c4ca97c1b31efda6bd0abe51bf8b09920f4858a15bff6bf9b93e5a571de02522ad34b37daed529dc5be2aff3d1dbbbfc6c918f67f6fc3f84e78bb09084febaf8c7eb84a9501492a837ef9797f495b348e7a02484fb62fb3d4aa218370652f6b4f95e0ca3076f3187dd27ca0bff242199ca92f421ca1c4fcb601987a84cf8d053cb87926feb4eb547d6944bcd044c0b49fccc74f08206a43e3f9d7208f7ef33fcc4640bfde7749093c92a4eaf5b72a97ca18ed4ef33a2cef1310223720fc27037115f5400c6382049154c45e4cc6afe64e52e36e516196b91e2a0f5dd80d63aa62df2bae0f25b122db1fcf0f6b23c3c0814bf3697ea4491b2f5281b31bfb0019657982d8579374d04e527b912909ba80dede8bc7cb254df968cdde02ae6848b28cb0c18e1d1f3231ffef701e741f86148e2bdaacfc6fad83f06e2e35b1e52b3b1591ee716aee235c1e28f8ef28bd1f2359f4b76d6390549a2545a732b6d8d98dfbe87dd1104b2d1fd892a3ab4249fd19cbcc951a40fe3e5ab89dfa3e9dd94aac95406a29b465aafa311b4cc4653565a5b45b99a79005a45ecbb11e575068e997b0e03bcef2e01957c56bff768150b8c907654745af5db8c00766cc7b36d4d0a65da582a2bd661bd9fcd4824799016bd41c35456f2569bfea5cc0e98d60a71fff2f9a9a553c1306c625ebd63a6d5fd8f39e6ca50aa5b1b97d76a875d246a5a11c1ab9590820e9485fda92926314f72b24ab35fb91c532ca23b4d185a32658b2e4011349b151ef585db83f12ce89aaab0f754cd5ac8b1eb11a362e592fc5a0406850335f2975eb933fae3de07115f59756be4d5d6c912ed5d3efd4e0eeb0ab85b9fef923754ec61f6b32232f5258c1d7164004b090f6cf26f287fc2cb80f95186208c6b9fdd938324fcab3043b0d9c3f6fd3ac6cb30f6542e2e1d6c3961cd350be3c1587263bbbbddc96c41fae9fd8fca422d99ea0c4eecfb1e4323a0373e82529655f5569cb8fcc31da5b4cebfe7888da5b0daac2ac0fb5cbed33556872e6aeed0f57f64db4fed89763941d656c4ff1d66d3ab53b3629fe47b213d1a987f39c51e8a6cbf0249579d534d83c815cfb861d0949e9c2c6e139455f3a3477e26fb026932e949634d22ae17e38145b3d833976cd426c16de58fde2f05593379a249047e9ef0e9f32293b1200ea375543b348066a185cb7b6a636a4228540863b224639d867862864ba34e4b39a7f3db0322d08ec94d5571108dd59d47222b02305ede2f79599fab147b62d4217130f733cfafdd8729fd7cf597d048282ef61ca3e5a2fa1c3a86c778fc743c430b8b5aabe8ea90e709aa7aa271eabb809c36806dc83771a157c0462c7658269496f2bb74fe85d65938979f6439d36f8b3463a927a748dc6c82d893c63f61d0ee16f7303027fd5041f8f0f1100a3ace58057b20a292f3badde5d5f5acebe1dccfe73adc7cb439dfc64f414e56ebd5d089fd6f138ede5e9bdffcbc59db1f738a1c7328ed05da761e7b8d93892fa5b7562e6fe8fa2d004a06b2980742981698b741e3b24b4544d79904fbc470b6f0dc3443c42087e084065e04f902f5672c806cf68f43e30aade09165e5fbf4703deefa221265db5768521c3641980aa526bb12759575a02abf569dc40459f2eea48deda4000000074853ceb016242231f2474c48ff09a65fc5255d4f276d1aa349a1f0b88a88efe855c6558b6083d215921ba42c5eb27bdd4f2a1b209adbca45494210948a90008 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO81B8CED7\SilverRat.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO81B8CED7\SilverRat.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2840 wrote to memory of 2900 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO81B8CED7\SilverRat.exe
PID 2840 wrote to memory of 2900 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO81B8CED7\SilverRat.exe
PID 2840 wrote to memory of 2900 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO81B8CED7\SilverRat.exe
PID 2900 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\7zO81B8CED7\SilverRat.exe C:\Windows\System32\attrib.exe
PID 2900 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\7zO81B8CED7\SilverRat.exe C:\Windows\System32\attrib.exe
PID 2900 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\7zO81B8CED7\SilverRat.exe C:\Windows\System32\attrib.exe
PID 2900 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\7zO81B8CED7\SilverRat.exe C:\Windows\System32\attrib.exe
PID 2900 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\7zO81B8CED7\SilverRat.exe C:\Windows\System32\attrib.exe
PID 2900 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\7zO81B8CED7\SilverRat.exe C:\Windows\System32\attrib.exe
PID 2840 wrote to memory of 2108 N/A C:\Program Files\7-Zip\7zFM.exe C:\Program Files\7-Zip\7zG.exe
PID 2840 wrote to memory of 2108 N/A C:\Program Files\7-Zip\7zFM.exe C:\Program Files\7-Zip\7zG.exe
PID 2840 wrote to memory of 2108 N/A C:\Program Files\7-Zip\7zFM.exe C:\Program Files\7-Zip\7zG.exe
PID 2900 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\7zO81B8CED7\SilverRat.exe C:\Windows\system32\cmd.exe
PID 2900 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\7zO81B8CED7\SilverRat.exe C:\Windows\system32\cmd.exe
PID 2900 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\7zO81B8CED7\SilverRat.exe C:\Windows\system32\cmd.exe
PID 324 wrote to memory of 1776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 324 wrote to memory of 1776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 324 wrote to memory of 1776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 324 wrote to memory of 2260 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe
PID 324 wrote to memory of 2260 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe
PID 324 wrote to memory of 2260 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe
PID 2260 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe C:\Windows\system32\schtasks.exe
PID 2260 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe C:\Windows\system32\schtasks.exe
PID 2260 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe C:\Windows\system32\schtasks.exe
PID 2260 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe C:\Windows\system32\schtasks.exe
PID 2260 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe C:\Windows\system32\schtasks.exe
PID 2260 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe C:\Windows\system32\schtasks.exe
PID 2260 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe C:\Windows\system32\schtasks.exe
PID 2260 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe C:\Windows\system32\schtasks.exe
PID 2260 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe C:\Windows\system32\schtasks.exe
PID 2260 wrote to memory of 980 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2260 wrote to memory of 980 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2260 wrote to memory of 980 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2260 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe C:\Windows\System32\schtasks.exe
PID 2260 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe C:\Windows\System32\schtasks.exe
PID 2260 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe C:\Windows\System32\schtasks.exe
PID 2716 wrote to memory of 2672 N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2716 wrote to memory of 2672 N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2716 wrote to memory of 2672 N/A C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2672 wrote to memory of 1144 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2672 wrote to memory of 1144 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2672 wrote to memory of 1144 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2672 wrote to memory of 1144 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2672 wrote to memory of 1928 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2672 wrote to memory of 1928 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2672 wrote to memory of 1928 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2672 wrote to memory of 1928 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2672 wrote to memory of 1168 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2672 wrote to memory of 1168 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2672 wrote to memory of 1168 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2672 wrote to memory of 1168 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2672 wrote to memory of 2392 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\wusa.exe
PID 2672 wrote to memory of 2392 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\wusa.exe
PID 2672 wrote to memory of 2392 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\wusa.exe
PID 2672 wrote to memory of 588 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\wusa.exe
PID 2672 wrote to memory of 588 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\wusa.exe
PID 2672 wrote to memory of 588 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\wusa.exe
PID 2672 wrote to memory of 1504 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2672 wrote to memory of 1504 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2672 wrote to memory of 1504 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2672 wrote to memory of 1504 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2672 wrote to memory of 2120 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\wusa.exe
PID 2672 wrote to memory of 2120 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\wusa.exe
PID 2672 wrote to memory of 2120 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\wusa.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\SilverRat.V1.5.Re.Lab.rar"

C:\Users\Admin\AppData\Local\Temp\7zO81B8CED7\SilverRat.exe

"C:\Users\Admin\AppData\Local\Temp\7zO81B8CED7\SilverRat.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe"

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\SilverRat.V1.5.Re.Lab\" -ad -an -ai#7zMap2055:122:7zEvent15028

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8B9D.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe"

C:\Windows\system32\schtasks.exe

"schtasks.exe" /query /TN $77Runtime Broker.exe

C:\Windows\system32\schtasks.exe

"schtasks.exe" /Create /SC ONCE /TN "$77Runtime Broker.exe" /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe \"\$77Runtime Broker.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST

C:\Windows\system32\schtasks.exe

"schtasks.exe" /query /TN $77Runtime Broker.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /sc hourly /mo 1 /tn "Runtime Broker_Task-HOURLY-01" /tr "%MyFile%" /st 00:00

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x5ec

C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe

"C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=SilverRat.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2672 CREDAT:275457 /prefetch:2

C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe

"C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2672 CREDAT:209971 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2672 CREDAT:996395 /prefetch:2

C:\Windows\system32\wusa.exe

"C:\Windows\system32\wusa.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BCOPU31\windows8.1-kb4486105-arm.msu"

C:\Windows\system32\wusa.exe

"C:\Windows\system32\wusa.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\windows8.1-kb4486105-arm.msu"

C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe

"C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2672 CREDAT:537729 /prefetch:2

C:\Windows\system32\wusa.exe

"C:\Windows\system32\wusa.exe" "C:\Users\Admin\Downloads\windows8.1-kb4486105-arm.msu"

Network

Country Destination Domain Proto
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 auto-london.gl.at.ply.gg udp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 8.8.8.8:53 dotnet.microsoft.com udp
US 13.107.246.65:443 dotnet.microsoft.com tcp
US 13.107.246.65:443 dotnet.microsoft.com tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 13.107.246.65:443 dotnet.microsoft.com tcp
US 13.107.246.65:443 dotnet.microsoft.com tcp
US 13.107.246.65:443 dotnet.microsoft.com tcp
US 13.107.246.65:443 dotnet.microsoft.com tcp
US 13.107.246.65:443 dotnet.microsoft.com tcp
US 13.107.246.65:443 dotnet.microsoft.com tcp
US 13.107.246.65:443 dotnet.microsoft.com tcp
US 13.107.246.65:443 dotnet.microsoft.com tcp
US 13.107.246.65:443 dotnet.microsoft.com tcp
US 13.107.246.65:443 dotnet.microsoft.com tcp
US 13.107.246.65:443 dotnet.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 13.107.246.65:443 dotnet.microsoft.com tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 13.107.246.65:443 dotnet.microsoft.com tcp
US 13.107.246.65:443 dotnet.microsoft.com tcp
US 13.107.246.65:443 dotnet.microsoft.com tcp
US 13.107.246.65:443 dotnet.microsoft.com tcp
US 13.107.246.65:443 dotnet.microsoft.com tcp
US 13.107.246.65:443 dotnet.microsoft.com tcp
US 8.8.8.8:53 api.bing.com udp
US 13.107.246.65:443 dotnet.microsoft.com tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 13.107.5.80:80 api.bing.com tcp
US 13.107.5.80:80 api.bing.com tcp
US 13.107.5.80:80 api.bing.com tcp
US 13.107.5.80:80 api.bing.com tcp
US 13.107.5.80:80 api.bing.com tcp
US 13.107.5.80:80 api.bing.com tcp
US 13.107.5.80:80 api.bing.com tcp
US 13.107.5.80:80 api.bing.com tcp
US 13.107.5.80:80 api.bing.com tcp
US 13.107.5.80:80 api.bing.com tcp
US 13.107.5.80:80 api.bing.com tcp
US 13.107.5.80:80 api.bing.com tcp
GB 2.16.153.224:80 www.bing.com tcp
GB 2.16.153.224:80 www.bing.com tcp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
GB 2.16.153.224:80 th.bing.com tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 8.8.8.8:53 support.microsoft.com udp
US 13.107.246.65:443 support.microsoft.com tcp
US 13.107.246.65:443 support.microsoft.com tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 13.107.246.65:443 support.microsoft.com tcp
US 13.107.246.65:443 support.microsoft.com tcp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 th.bing.com udp
US 13.107.246.65:443 support.microsoft.com tcp
US 13.107.246.65:443 support.microsoft.com tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 13.107.246.65:443 support.microsoft.com tcp
US 13.107.246.65:443 support.microsoft.com tcp
US 13.107.246.65:443 support.microsoft.com tcp
US 13.107.246.65:443 support.microsoft.com tcp
US 13.107.246.65:443 support.microsoft.com tcp
US 13.107.246.65:443 support.microsoft.com tcp
US 13.107.246.65:443 support.microsoft.com tcp
US 13.107.246.65:443 support.microsoft.com tcp
US 8.8.8.8:53 aadcdn.msftauth.net udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 8.8.8.8:53 mem.gfx.ms udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 uhf.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
GB 23.214.141.73:443 uhf.microsoft.com tcp
GB 23.37.198.101:443 www.microsoft.com tcp
US 13.107.246.65:443 mem.gfx.ms tcp
GB 23.37.198.101:443 www.microsoft.com tcp
GB 23.214.141.73:443 uhf.microsoft.com tcp
US 13.107.246.65:443 mem.gfx.ms tcp
US 8.8.8.8:53 login.microsoftonline.com udp
NL 20.190.160.128:443 login.microsoftonline.com tcp
US 8.8.8.8:53 aadcdn.msauth.net udp
US 13.107.246.65:443 aadcdn.msauth.net tcp
US 20.42.65.90:443 browser.events.data.microsoft.com tcp
US 20.42.65.90:443 browser.events.data.microsoft.com tcp
US 20.42.65.90:443 browser.events.data.microsoft.com tcp
US 20.42.65.90:443 browser.events.data.microsoft.com tcp
US 20.42.65.90:443 browser.events.data.microsoft.com tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 20.42.65.90:443 browser.events.data.microsoft.com tcp
US 20.42.65.90:443 browser.events.data.microsoft.com tcp
US 20.42.65.90:443 browser.events.data.microsoft.com tcp
US 20.42.65.90:443 browser.events.data.microsoft.com tcp
US 20.42.65.90:443 browser.events.data.microsoft.com tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 23.37.198.101:80 www.microsoft.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 104.77.160.74:80 crl.microsoft.com tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 8.8.8.8:53 download.visualstudio.microsoft.com udp
GB 96.17.179.145:443 download.visualstudio.microsoft.com tcp
GB 96.17.179.145:443 download.visualstudio.microsoft.com tcp
GB 96.17.179.145:443 download.visualstudio.microsoft.com tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
GB 96.17.179.145:443 download.visualstudio.microsoft.com tcp
GB 96.17.179.145:443 download.visualstudio.microsoft.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 104.77.160.93:80 crl.microsoft.com tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 8.8.8.8:53 dotnet.microsoft.com udp
US 8.8.8.8:53 auto-london.gl.at.ply.gg udp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 13.107.246.65:443 dotnet.microsoft.com tcp
US 13.107.246.65:443 dotnet.microsoft.com tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 8.8.8.8:53 auto-london.gl.at.ply.gg udp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp

Files

\Users\Admin\AppData\Local\Temp\7zO81B8CED7\SilverRat.exe

MD5 545d64cc91e4da6339a70d54a2443c5d
SHA1 f03344ab824c7cf0f73dcc86aa34cab36e2e54e7
SHA256 04109cb3426408945bea79e8e355285fb5bf93224b5b2775a5f6ff6c1e992b5f
SHA512 733154a7f76840fad3ead2af149cf708807878ef3f08c62232ee3cdc0b7e6a4b4dc338103569daf9f755a6549475df15b34b7f223929348001d4086e83371681

memory/2900-8-0x000000013FDE0000-0x000000013FDF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8B9D.tmp.bat

MD5 08aa01fa0822711bd777ba58342da790
SHA1 f1255dd689809354c3ea43959c1b5d42d4e924db
SHA256 356424911140556be00a4663240514ca8c64b3aa68a7b0fcda1d70a007f3b837
SHA512 09d29f45ae0b5c99744888044bf7c22388625d6131127d618241a54d3ec3b7d7bce5c8c38be73999b877d552bb64fb9f7eae073b27e89188aa1e1cec9f0e21b1

memory/2260-22-0x000000013F6B0000-0x000000013F6C0000-memory.dmp

memory/980-27-0x000000001B3D0000-0x000000001B6B2000-memory.dmp

memory/980-28-0x00000000022A0000-0x00000000022A8000-memory.dmp

C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe.config

MD5 d6f1152d647b57f64494c3e1d32ede94
SHA1 a35bd77be82c79a034660df07270467ee109f5ac
SHA256 a47f3f83cdb9816f03632833dc361ac5e7a4c5c923af1fdebfa16303f9d68a72
SHA512 699b5ad93d3497348f8aad8e15d54ddd789bbac43f11a7fb629f19cda3749bee0ae06dc83f4e6246df631488169fda5d15c48585581d3a96d2523b8b45e639bd

C:\Users\Admin\AppData\Local\Temp\Cab254.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar2E3.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 75f8eb220fff4e5576612d56202acf76
SHA1 f4dffee5c17645cf9897797b891ab097f91b9e6c
SHA256 c3fc3dd58104177531e8defdf4cebb934a8846080def2235b2df52d54f2fad54
SHA512 2e6583b87ed6c47fe3947f4b6c53adce455e7b4b98a6b801457c020d46d1cd97f089df486cfd01aa2c2f1857f8ecabc61739bc10371dcc0aa2f9e4ad3632ca8a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 44ec557a3dec6117d63c96b3353ba99d
SHA1 9438e506544479bbf11073a960a77ca11dd00cf5
SHA256 0ea759199db9831f613a6bfd354dd8f98fac82681130db6caea952d802cd26be
SHA512 cb2e19af82d014259f03192320abd4764d0d207d8103466c1758600a8eaf8cdd97877f8a62e561cb63c85386231c499db25b47a2fa0c2e0f8084909267f1b950

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 85ebf5aaa684bc0e028976bc453a0da4
SHA1 9f1ff864d584e5a43aead629971349bba86acc4f
SHA256 6c0fe5f900be3f1f8d36ae96b99965a1777c98cbf35e8378efec7ed9791acf81
SHA512 92c07c02c1df89679dc697d7985541e146b59746954c1a20f7aaa50a2de4b62c94502fb3bfda90678b183decc8ec15a9ee6b52d836a8a526c37eaa96b47d29cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 458da7e91823eea140eb64b4593facf2
SHA1 01d0c26c7a27f620a3e12aca7f5fd92d76a9fa97
SHA256 030b3d3c49aa9baf42de0238938c68703b88639060cea76cb5a17d6c87184010
SHA512 98c6164db7da9c161063b91b4f91c1263ef14fc695c86aba71ddeb9f69084778aaaa38493b13391792bf97c5fa3c6d828be18c6dc7ad0e492d5eeff54bdbf5eb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7404f022780648a86043f596f56fa452
SHA1 0509c7ac81f61b3e0b648c9dd3c49116977b7efd
SHA256 99b2dd75dbb53f4c237f1fd48532fecaa52b76df380df4a272b7bf6a44ae1e8f
SHA512 b2ce26e19e87cb35cd56a1fc41b86c85e4f37af9d8d5aaa90e1410057cd99b22e0eed30299a9ae1fc58c87f9e32410dfe500bcf83f963693ec3d3fe31de0a057

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d9b12e0f533156443a5c6f3b6a9ad17
SHA1 f006787b0c61d0f8d18c21efc6001647ce646821
SHA256 d1bcec79e736d12c8a237e33f08fd4c24729678f2f66533eec628450c8fe7271
SHA512 b52c067d46129d5419fa620957f700899591706bf36e2cecfdff4f74212805a5b10d7d9ff8396b9643110ff0de9c029ecf54174a99d42eda97d1267c28663b06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ae09ad613a9f3d3cafa2cbd095236f38
SHA1 751c544c8a838192d40ba99e60db187b812b2a51
SHA256 17a1a58a786b1f63014c2a1848ecbacafd70b84c4551a748eb6db907709fb1d6
SHA512 c0856a67343f173ab632a8396248b5aec4e6918858e6f5acff3c6b4087f4721c7145c9c0f106d014cc38e1cb82f5941a30122baf41649c315a07c8212da42837

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 08dc159a5f2604d053bb3be4905454b5
SHA1 2d2b4215ed13cec08916d9a9c7cc05c97ada6104
SHA256 ef95c50f5f2f9b2c7c1add102baaacdd97e634767ad9afa09ad3767c487a4eb3
SHA512 3fd97aa3a23fc536d02295d4f1e1ed9be5f15873cbad74d64da6f02bb91be57377bd0ad81b3fd91422f70158b182db42ed167b3770f512610635d82212b2b6ab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff5cf772c658b3ed0e056bc3b87e0ef6
SHA1 35ddd83f88b7f07f97dcaa6f032a25a8593599a9
SHA256 ae8380edb3756c82f5ec43212ce29612cd56586d36536aad3807528069c21629
SHA512 734f59a8adc18365467c268746dade4a9e833e6826f87a3c19f6a6ac40587fadf8a2420d472da902423fa56beb12feb79d1d6af3271366556ab9dc3f54f29a69

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 106806841ed564da1d83450374203d17
SHA1 fe3ddebe28a2253d0250dea7e76c792721e58a6d
SHA256 2db07ec7778e9ecefc907785b8dbdd699024a7dee84daf5bc31e3afe71445242
SHA512 da202e1b5ea138f1065b29c194602e82cb09228e4573e1e1ee6da5a45f151f781ef53bf57a6f2e0d224013fe58948311f39b1e5d203763d8b6a6eac7cf318242

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 62965c9f93d47d2cde7be7a9675ce743
SHA1 c154d67f5a264368645eb27b6c490ebb04d5f6aa
SHA256 bd8bd85c40c784e6ed90e7aee31ad65af7dae71c1852c8803a8fd0bc702ce612
SHA512 fbae5bffe7a7e7d1cfe2a483bcb688542b2fd04b34537fb0d9b1d9bc7b74cf6acdb38149c0197ae43cfaa9f40370b7fb268a4220d0007a5e692eddb664ce1866

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 72f982218d18e4325968a8d33fde84b3
SHA1 0ba932e47def8e8a1147d2b09399edc691302050
SHA256 e24049258f8fd4b20426d82668f84611d1003eca01da50149e721cbff749d5b4
SHA512 8b607031f64e75ca131a891976743ce9248c144e596ee53316c215c941f93d4180e3e3c565acecf862f03587b14c816af12e834273078cc75d9916b3bfad267c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e9d0d3c59d459f8f81c20f0b47f2eca3
SHA1 acee0ad9384872c8e16733081c1a1d7039b0dc8e
SHA256 03707c3c29a13b698fcc07ddafd25b72b575e801efa3cc8cc2d34a63f24cd5f6
SHA512 8fe18a00fc48c953a274f18b1e2fbe2221281b4f3334bbd87e7a12885c09c7d15067126976e0aa0526e4dac0cb49f6ba8906448064c7fe3e39a56dc9cc017f45

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 568f59ca7f04cef1383c14c943bbda6b
SHA1 577185300044deefd334699efe3c364226162e38
SHA256 1b55da810663a64b4f0b965514c598046b36ead34264d9dde48ec7f236d96960
SHA512 f0e4255556a8413a498e0c69f711b10bb970397f3b4020115c3392cf58946c93983ed62a4e64103943943400868582696a845922b93bc42b268fd68b3e917340

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 406eb2cfd6508e38fbc3d6ae4a9d8fd2
SHA1 45746f76f3e0548d6472f4ac42eeefec96cea184
SHA256 bf95dbe8fd9800925181114f5f3e6c66e2c255f4c83ac86e42b37cd81d5d08b3
SHA512 2f513460a6480580a6db24376d11e4eb8defdfb52eeb04d25c38ac2f09ae6e1b75d1d0711018fd29dd4706d00788b496552169326cc38ff649db60d2e24d889c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 06632a16d69e86de4c067f138213352b
SHA1 2b7ce7ba0278b1b94f143f268ab9bf434f889546
SHA256 d22c9cab68be4b116ca4eebfc140ac500447cd955eda6528f90cdc71ec26b598
SHA512 b76bd5b182fd6b0d18c1a0b0d8b03988037596d50aab672d63ea49baee7387edc1281db6dcc8ec09785e11dcdb3325b6caba1280e08e787dd2aed82ca592cb5f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 04245afa8b1563efc9aa3c915296aa92
SHA1 56c25812f85dd56d99bd31aa38053e7de7eda02c
SHA256 f058383c48af1df157301efe62d640aba0a09a276557a5ca7b8e5d8afd1a716d
SHA512 64b177a1a0dd029f4c8a4fbeb487389400ddd07d2b0b49d5672b71fd8f86ba2b4974d48e4189876cf44ead1705a2f54573606dd35bf9a97b91fcf3c3ab0b77f3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8dab0c7780f24fe61ad6e29209d82813
SHA1 7ffea4e0a4a57950e6c19d88d2c58b684017ba06
SHA256 6128388ae36c710fefe3e66b6cd5aa9cc156c3e76f0d7e1699a7a44d60e5e9bc
SHA512 972424419264258f87cba586593c6360d9ce43398ccd51976fab97b3bbc3b6aa7ec92aba852709b698cdc667bb7df388bda56f3981ef6d500b10953429dcfee8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1dce3977adacfc5781c71dda581bc573
SHA1 1c6253adc98cd9199e29b5827686ef350332892f
SHA256 f1e6650f7be3da3935d8b36afde805a0c258321a6bbaeaf1324e7c039d4212ba
SHA512 f9d5f7661909c08757d7a31dfa233ad83b80c4733e133bf412f4d3f7695b2d8f7984adea4e9c0d1036b43747f09b976c163bfd41f4e036e316dc6cd660aea9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d2f30121b33be2659ac86e3083e43740
SHA1 05f590d518f739bbe784a8334d6ce4850482f9ad
SHA256 e4a10251f271f02a08b58f17de21e9a608961bf7304127ca516d5635a81bfcb9
SHA512 fcd8e04e1e0d4dcb7e6d7283c587eec89714835755628256d35f7f883546d23bcdbc38cf0b36d099161f8d9cce1108aef245536fd94f1429e55c14528972885b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 36fb66030d01c864cbf4dbaef6af8bb4
SHA1 5ca58220476d415b0f59b00fbe7fc6b90b950ea4
SHA256 194622b0341187d5f4f89307ce12178d7e23648606c3720f27a5837384cd4d81
SHA512 ecceb5810cc537634e437d00c0968375755eebd4843888d7395a05c3f550e47ab625cf598c261cc6d585d05e1e5808e39491bb84e39c03fd083ec6564663ec19

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4b764dd5bd6ff03808c02b13cc7b1a5d
SHA1 021b9cf5af11f7876202c44b94f0b80366ade2ae
SHA256 28cfafa1f2c20cd1f3b113f9193ae4dccbf211948b280eee29f1de28fd63e3d5
SHA512 e8382f0acd536b7eb559cdbd57dca82df97d9d34aa55a0e13433738a861973aa14871ac35fc8dc853649a78586ba4d956bdb3ca861f958fc41b022786ff4bacf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f02cd9ce9099667f98ce03d4d1eae013
SHA1 05b8f7099c4c49747dd5c18cc7149402ed5cad7f
SHA256 a57fd8803c44d54e6d707abf947cf1acd57d261f91da072c4c5a2c83b199c53b
SHA512 a913f93e55e2cf837a7021101e1d2d906eaf1d567c6caf7fead5f4eec04210ceb9abc8aa7b6e4619c8f09e808f692b6bdb27e50fd73a847932369bb806bdeff6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0c19592f7e70c0673a6a89e5dc085398
SHA1 ed027165850685668e0a3818c1523152d016383e
SHA256 49102780901588276cdda58a0e688f5cdef918ef8dd39ce60b0f42c3e816e5c6
SHA512 67c08de079a47cf0bd8e0d32e46a202282228819134b33a6a2fdbe5437534b471f35b33bd59e8cdeed27c39c79e60e069620968e2798f510c3d0624bf75c6f83

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 65144c37352d0c053d87183ab677e1be
SHA1 8237a100a7ed269b0eac04905cf861de40dfbb72
SHA256 beb7f37e2d531ccb53f3280528e3cbf73b4f449a364385876d8a546ead6cea6d
SHA512 48fde10759e11b49a191e298267f6981a2182feab770214463129088642fd807425de6b1d640716abcbcd61eadacbf4ae27d96334a69fe82b42db90ed52052bb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8404acb48c395f426951e91e3e92be2c
SHA1 bbefcccd6ee3e0c50ece4574244352e9a7d9eb26
SHA256 e65ba9dfdeff62b20ac96e3ee52a75de5047df43fe38809ff22caef8ff6f3b01
SHA512 6455f5e04c568aeeb49b4e40139faa2c6c370518f7582af5516d44dabc1e39eb7f774c3c8c6188db29418dcb05735466496c132f743b7ead4f5ce61add2781be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cdb9af02edc7842ed2e6b17c4720a85b
SHA1 ff8ad5179e13c75c96108e7be9d65ff717f462bc
SHA256 324b39554ef7ba90fb3cf16be08c6312865bf62860a48813842af58d078c973a
SHA512 e31250a6e9d7d9b6dc579d6a093d8d486f38fae169a41915dab33f8447d592121232bc9a3ac52627031ea0e8e04c656e02912d3ece61881d7f3c8738b22aa743

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 755ea96cac5b6645f6e0f7ee84b60c8d
SHA1 a8dd553da513d246460fef361cc7c2ac7d2ef7ca
SHA256 cb93a17bfa7ad4247b67d8b3939abe188b27fab44a8344d0a07830e4ef51222e
SHA512 c8fec85a19d3234a0b8115ad5d99aeb5bcc8eff71eeb73b3f94a3bc94ac923826e51b650e00b64b94be203a344eb57c872ccdff253502e9a929c6922a6a3b5a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f7ef91331cf12efdc795e87cddb047c
SHA1 03ce54c3fc3c816a14bf8329108aee60554880c2
SHA256 374d225cabad28ddafb376bb945eb213f61d3a30b97e2c5b16d5bf95d2305893
SHA512 83ff9c22bcbb2f38bc3f812cef394bb571ca9e6ba264404a1e26dbddf0c69bf8beed16e60fc54a6b655fe357f915eb26b86a37454708e601ff9c0b77865272a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e26deb3dedac2888557d76b2da09d029
SHA1 07131c95728ad32529b08d3d346ba67497a7c60c
SHA256 a1425550f7ee6201007d5006c7125e11cc1d0d13b93790fef07f190619cdddd2
SHA512 940bb6fdae90f548a95b07566330fd28de914525de1691fd6962051ce738b6d1c013fb3aef80ee18d6191fbe8e4a861eefb938e70dc39bef1a53026c3a3717c3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f83e03862fff75622ae963fd07cc690
SHA1 51b34eaddfb6b9a0db047b47f9b605c9f000292e
SHA256 acbea5bf517c7090fbb4dc87180e4ae5f6057c071cea89a2e4286e9ab2a482a4
SHA512 ed8847e6eb6a64bd300417e69e83257c7d19c777b77f657654ff2fbd909435e480358f7dd7c979d6b55cdcf954a0f767e54192c85d0ffc2fba8aea3970b41978

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2de7dc4b9739176398578d2c624b7d64
SHA1 24c8c3cbc2dba5612cda6b1b0f816efff09f298b
SHA256 099162aefa5b6bbc6159950187d6259e3d47f451909595050b41b1f833aa334e
SHA512 5d7c2d7220fde24af80366c0c964be699132ae9c3e7815f3944bfd0605cd901912117254b6e8cc2fe4d6bc0e22999f6764770eca25d11c468aa53058bfdfb5f4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 535494e4c2b2ce060fc15e7f04293537
SHA1 9b56ce6f536eea100fb4d61254c255523971292e
SHA256 d773034572bea6da2fb4c103761fb3528b85bd9f7291ae38dba9e720e6c0f0a6
SHA512 ac07c6728d56339d606c1b0c1b41a42639682cdea3334b476069c3943fb8ae995f856eef2a4bd4d8dc736892fb6701e979a33a082ecf85f30b480a89b6197c65

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 46d4116ab389a3ccd0a7999db14a71ac
SHA1 de9309da4ec5499a7105d49ac17f6e715de4824e
SHA256 a93d0e17b170d2c8ffbf7a02b980b829a9becdb60613188771fec524c2b2b3de
SHA512 4a9b447d6a131c60b16c276644aa2aa444028a0904f86e40f436756b87325a0d1d7321f1e911bd64af1021ccbfb552de917a0c420653e0a0b8084505d61c5300

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aaf614361d4e0373f6ecb85736602a41
SHA1 bd601035763c96626718b94cb2740a6b360fb130
SHA256 022ddac52a4db14c05720cbdb753b1fe03c0c30a380d2aeba3a6b2f1bc9c7a95
SHA512 ad99cdba081a0637b3c4731bf275977e191472c75642c5660cf6cd70e1ff737f36ddf2911fe6c38cb3f99f600ecb478836d3807d1f41e95d4c30da89fd39b062

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f09b63d073dfff257b23e285e01d7e2a
SHA1 38e190e8a930e59dbfafb279e369afde19abdff5
SHA256 fcd8525267a583c0f06472d48f41118b0d3dfcbd6b644aaa503aa4fcf20585db
SHA512 77d372bb090a533b7e6506e3920661fa48da2466d611e681087b97870f690e5368ac7fde005cfa78bc6878ae789d7115032415da6fb8f7d8fe6acf783f478a4a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2945f4dea4322ee3a64ccac6b66dd6b6
SHA1 7927dcb2536997125b3a2b1c02e730871c4704e2
SHA256 590f58124cb8d4e9ca40659110991826c69b8bd3af93d4a1126209d031960091
SHA512 e193839d1207e84305ca1c1102e6c8bcaeaada94a38cf7bcca946f83cd5778261a00cc6ef031ad72756a61a81ac7ef6d4234a936433623efa516955b9f1bed67

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 864ecc173c71bab8ff426d2b9651d4c8
SHA1 c286b513fe1bcf399d9b2874a881f4da18f12f77
SHA256 faf47b329fca256851b7632ad9a08013a41c845c8181fa7c2a5906d05c3f5e1d
SHA512 5034eef6e04b65c3595093fcba616ca518a9fdf834e9a7b59b5c02a6b2c73d37908867481b4951458a7bcd1d2f9611e87e7974b844c1698b3487126bc5f34d35

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b69fe55fc0eeedf69e4e12c336af6053
SHA1 ee0f68285256e157032d1ec578ede4e834a1fbc3
SHA256 e71be3070d5f492e6352a7ca2160032c7ac0b82907f137484c3a50bb2673500b
SHA512 dc2dab66d158594550fef7be04adcbaea91e2e73703b4b0d6511bf5dcca8925adf5e75369de5a2ea6f4832c62482f8d406ebcd764fb010eb21ffc3bee70812ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3c083b866a5c34231868805ec582189c
SHA1 a014a04453b76263e9b2ab588675e921082f99e6
SHA256 0e662d9842c64be58e2704f3bb4e982b34dd9e3af4fc51905e84581f16f92ec7
SHA512 e96037e2f655eac524220d3c52c846176beba362f7c6029d698249b7679d7f09ae4f45de64a7f91d89eb268b965dfd3d4a62e98ab7197069dc71ef246b22354f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e2b3fed2976313a2deee5833112fef1f
SHA1 0f07314911c8c7330777ef4e802a9a515174beb1
SHA256 ce115e3207ada55a3f913587c77544026dbe2c0081c29be0fa303df06a08427f
SHA512 08ea9d62ddb7529dbf6520341115fa7a1ca0218d6eed829ee0495cce59b8810e0c3d2362d62bceda732e548a5a7fc7772020931c0fc60cb11f206965b8e003c2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 19c39078437b05a01dff1746f735082f
SHA1 3f5a7b67dc549524e1c423d81d3c49e9a9de1982
SHA256 a5ae016f0455aa8f558e3f21e142859ec3a9e9c04b135fb163b97b30a33dbdc8
SHA512 291643c2ffcada45ef9100218129d445adb7a398f4acf872f563ae41acd296170794237b0ccea27b156ab428b99bbc4d781bbb714d7746541faad936741bc2c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f60195a2bb35c89d5698cc47a9e8bb0b
SHA1 382f3977de51654837a633f118be5cda4c09d27f
SHA256 6258bcccaa3795fc4b6f3397719e4cc33d13a06047b70b4ebd04efbf0409e0c2
SHA512 b0926a4d21efae99f0282b20dd1ce754fad70b1da615229a5a0b46ce814393f02f86f0b201f830f4ff27f289f7563393cb6ec7581e324f2f531bc61c2506ae7d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7c97d13459487da64d171a0bec5d68b5
SHA1 2aeadf1cffcf65b2691f52ad0730780ef952bfca
SHA256 0b54f0621b5842691e01190b424eca8b6f5fbffda4fe4ec67d29103bf608ceaf
SHA512 edd96e74c09489a774020dde2184fdb917cf288ed06f7d57de1a93228333aa53004cc95912b27cda597386689d2baa2fd91e5221d1c40d8e9687db0c448857fc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c463f10fe76fbae68e281826cf68afc
SHA1 3662f982ff778455cab03611f6446de4ab4d8d58
SHA256 93d5b95c6998280f0a92476bac21c0f696ae711cbb58336ca302237102641de9
SHA512 a711161301a448d64f1f5fd21569e34fbfbcbe2e21c813b98760473e83aa051aa1816eb81b0c9a7a3aea974dc719ad88455b5eddc3c5afd261f4f0c954634b2f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7e7b5db2f0358f1e2696732d3853d516
SHA1 43ba059b3a694d80107e801b8e6d5f3b33e8e5be
SHA256 17ee70fe94cf5eac78bac52f4bbacf40580ea3c54f7542987dfd6b062839a18f
SHA512 fcfe197ad198650fb143e72aa23ecc5f827226801dc76551bea6370572ddea4c316d610de7aceefa32a494ac079898c684558a66e3570d19b4094a0785294b7e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 723fbeff0c8ad0b36e123d2e7601ee14
SHA1 66671ee1f08ca74a081f231008c3f93cc8de2967
SHA256 5ff2d56c3321eb29fde8087151067c5f70c1e22d7eaf5dc1e3dab39116259dd9
SHA512 0943ed7e5d011c321e22adfdf7d9838bcbe1958bfb950d90f4b3f6df180a331379c3f56379275324cb444715daaefa278d0d5aa5e50fecd9d4556811b456e868

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6a0f433d1a2bd0bde9c9598b8d332179
SHA1 2642995ca65637d25df1d04c75bf36b4c0c78ead
SHA256 e3da4ddb5b92f7efa070b6dee9ce14ba120a320f9099079cc4ac971e70d66515
SHA512 6a26d5cae723fa3bece6a04e2522c169c9a604059a85fcc2f36f0ca41b1e3307801922bec739acd9cc17f287b3822a4c7680cfe4706f89b2f2d0010f8fdbe600

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 528ad1ab66549a99015369f919953d7a
SHA1 04868cf73f82e5d874e0f7d6d916eafef39089bb
SHA256 30311af3373a68b0b8e7627c3c823d9bebfb5aa63b8c7ed6bd085733cf2d6c20
SHA512 e0040b470e8002130a394aeff4a779cb2929ff3b57725106dff8d72d47a2f01a142e6b2023068ea726b30c22734857bf3e1f98a172cdc68421bb3767b8695d1a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ef925986cce3fa8c05c54e660740a78a
SHA1 7cfce91b288dc781f515009fe184bdb1af54134a
SHA256 4936ed60878b6d04b691d4e23af42975996c2f807d75c70f9029e6d60a231e58
SHA512 80bfeb3b54a2955c037bc1a4a8a15e6aca18eff29ffda39996df9cc165a7ee4a2a057110ac9454775c18f347c6361ece969db7315034f29129829d270da5f863

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 846d05c1c1760081b5e34dcf7c6db388
SHA1 38eaa3f71b9994309dede66d18ef3e00bb08d606
SHA256 e2073476029cc9d6113102b2a0aa9048ef454f5df02ac4424c7641b230cded4f
SHA512 f6f385cfe4a95426dead788e6c7d82793f164f4131daaefc14c34fc6e7719bff35321860f0e4cb46e2acb5848dfebf3ca8773abbf287533f0175b6a4680552f0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7e7ee4e272794ec9db7a4260e1c15162
SHA1 8cc3072ba803ae5539f54a2651f6b97616593c7d
SHA256 a58f99086c1ba82ae07f89da8bd30da956a7044dd428412590fb472da06aec4a
SHA512 e611123c2180520506aee3d7d0715bd4a680c7e4b2a3b937fa71e74bcc25d48bd9844fc2886be5ec16967ae1affd91f03ab805c9101ee099eab66ef4b952f9ad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 02906f76d86ba3e2cbf4b5b03d76a491
SHA1 68755471d863110954604e649717be1c92039304
SHA256 656243ab9cabfacca7f618f90ecbe912f81a7d029a4e62f0726fcb217d8310c9
SHA512 be34b82ad06480de51ea1ab6cb86e4b27e2dc4dcd29d00f5e43a6156c90c7177c4dd1bc587b0754dd58ca2fa5c1266b6034b4f18546f229f94405ff50de29aac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3e3fc868781c652c149945889f4fc86e
SHA1 ac075c0dbdabf268381b935c94b5153a93453c3c
SHA256 a1b4efe0c49fa959aaa89f28636e23fbbdb18824e52e9371a565236860fa4069
SHA512 b25d732683e9abd4f1d517545df6a93a1fbb7333ce5879f66c041b4009a6da6931342c9c9f7e75278a4c477a1bff3353b6f61836d4f5a3236e32b882c381103d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b58a1e316abd376712162d4909dc2b2
SHA1 3863fb0c803e10a1618b79d071809e7f11905c16
SHA256 21a2abdfdda32829474ff4b10e9518e924c318e7b3f59ed666607ee47c4a4a8b
SHA512 bb9846cef06714799e47848d480b466b58d4042fcc25d0bf2dc475125c913685ec17f8e66c950f18c2b6560c061a0ce58808e7a42603015260f390798ba010c8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6f87de7e4ec2056a36048647899ca4dd
SHA1 1ed82094a4bf503ae7ef4a889746e42acc166473
SHA256 f8925d62ae60872d2dc13df5b2df85437910d29a881c4ef6cf3f993bcfad8221
SHA512 e0f93dfa0322fecc327443b463d6b2f66923c1f8305e435af8eb3c5f36b1a30f903470644e949d3218e5a4f3e4d9e784e8b78a0879139bad89fdba2c9d0784b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 253e331da55fd1be5e5f0b8b1caff920
SHA1 b03cd31755d83b32aee1cc8e0a0a2c4bdad8a113
SHA256 73184957a278a9b8f36dbd3aa0de8451efaea485182b7699e165ed90ad5af525
SHA512 0ff7507f9786632497e9e42592803c02c2e8f822458e6b2b2392058712943e31bbb1a01d504a4e66d374eb6a62a4dc39ff9f48fc6a8ee88b12fa7d385e402004

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f529f1a8e6c96c647c941bf45bf61230
SHA1 ab96bf70cd9af4aa187dec585c8ce256858c6f2a
SHA256 2239be00e64ac4e7e6e10fe7a07c6a9d2202a1a2ee394fbd2a2d4f11024c401b
SHA512 a4b039ea297e6519c7ac9424729e1c8a00e6eef53eecdfcbd6dfa6f6b2b34c6173af369ed5474dd76198bc01d97d096aa1784acfef94ff3b2882c8f551410833

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b8ca49af365dbd87e99ea66c151c5070
SHA1 528820381abac293e3b124c6a236585fa6a23479
SHA256 cbe7d56f00cc07ccf21129a5a81b8153d0c6b8cf7e8be574c7b8aa3d0fe6a786
SHA512 30df45e25b0027c89eeda27c6ccbc39750f5d4366e4dda6c8072b0834f68dae17e18960b57c40cee3b65df1c9cec03d11fdb228e010ad0e409490120b716ccbd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 70443927b8c6d8f3b9703924508a0dce
SHA1 3c5108aad33f541721253d04c974bb51a4ad99ed
SHA256 1c33422a7e95b00b0a988d8a3e5dcc1443a9819bbef8fe63ab3587f43daa399e
SHA512 6b246d3f1abe8deb852527c06d659c62d68220421684f9a047281cadf998c8b5bf582964cc76d32d8122d41900e4c99728e75f9013ad9e296f95e1bc46de11c5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8329b196bfec41c9fb5e99fe0836e7a3
SHA1 89760cde5f86ff9f8124665fc3cd8c9730adc7e5
SHA256 4d1cebd0dee00699070a300e740ca7a1ce056b658c843fbbf357de3d50db2c87
SHA512 92203b75d839e0e711fda00f52b7de3e1b7fdb90aec7d570f3f2e2ebfa511534b0dcef1ea32dfa89ab2d85af38f3557abe964b24df7bd1b2fb47ccb8d0c81255

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8e846c64b95d83fc29b82f030a28f430
SHA1 6f0b6eeb3fb6c3123d247257d5b74a7cb9c1a2a2
SHA256 dce8bf1a4325dd7befa14e2ab46de34d2dab8bd53e1d99522e295da95499ad04
SHA512 c05292ed09d8833b31ee5bb8c2319309d854c19992e7b832607513850caddd2bd591bb8f5c0920cadb066d06e3c8322c975248eda7a955e0329f4ac7e8bf8cd1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 10cf20e9e0c3bafd2913f19710aa23ce
SHA1 d1bbb29f5042ca8dc382685efaf84a70fbcbecaf
SHA256 4ab551306c15f8d7720c6490b6820bea2192a77bc582f6f030cf0d6cdbc71c4a
SHA512 4be37aa5da87067407d697dfb65a65b20303f5cb7c18456d0033089651c72c4305239c6bd34ba7c6f0ada1f7acd98ef551b31877aa399fd8cd11f26e422a91ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 77c97f10bfa2b21dea2a60f01ed7f254
SHA1 a555d725418687cebda09a6d98637ee287a0e336
SHA256 4b8fa7ecd1ba941b75b110f8df811ce310d4cd7fceff4d6d83227c1a76a9443b
SHA512 1939a59c324ec135a4cb1f3c03b6455944090657a0d944d98aca0a78b0a9e5f51113e75920ca2759535483685f95138edcc55321c4cedb5a3875905828458768

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SLCBE896.txt

MD5 c3ad94522d06442508b681fb9ffaa567
SHA1 0e789144201434a50922cd5cec71ae06f3d41efd
SHA256 870212950e8906624fd6fef2d77eb81384c6a23c28d6db1343f5ab44ceb65de6
SHA512 9807202d363b182ede53ae3ad8d04adc1df940d7fc71defae61b53ca3aa27c2a26383752b656341e143954e97af08db6628f28f1a9595869a6602dfa4683e35d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\qsml[1].xml

MD5 f64e3b36db04a4d6e58bfb710274682c
SHA1 594eb680c1e9885272c62df3ddbf67c5bbc5b22a
SHA256 7f5516e9304d302859cd9388d2049f8016af6c76d89ae04aaf285925cf800564
SHA512 6c77fd0aaf2118789f6e3b15f7eafcd4d9a04dfa793fce73ec42f7af33e21db264167bd5e00a565606347552d54a7797f6fd9dbe012e662ca655a7501aa13c10

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\qsml[2].xml

MD5 f75c0eac15b4f27ba880663dbba58f5f
SHA1 1f7b32eac8f78105e0b2383b9132b9f5f13ca02f
SHA256 1b327e33e04512aea4ae896e9810684d5a412a19774826f0a3f9861760260050
SHA512 c57a2b12463e5f059bb9176af23314c43c5750d2005a1d150adb589bea96a290f68fc1df163c369208a64cf24986407f14b46ba1ce320a3133194599f9d54c65

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\qsml[3].xml

MD5 5c6c1470d62818a462edf86bac6904ed
SHA1 cde57c3f3941420006bc10b5126d0526448a7935
SHA256 489a2905c6422adc0c5879615fed983acc0a89a925226195415856221ca1904f
SHA512 0bcaf8479e73b7e1af7d6f9506e0a8ff3c30ed544b518cbb435d792496fe6cceb2ba1edb357fb4139f8dd7d34b1241519a2ee2ea87a01fcdb190673c52fbcf7f

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\qsml[4].xml

MD5 c2ed826b93f64c6d21628f0804d8866a
SHA1 aed3ab46667397f798e37bf29e71658294dde5ec
SHA256 a7387372b0877b41675340d1335938e673f5ce11a33d113f72eb968eb6203b8b
SHA512 ceda9a6f8fbd57ab63c8876468f40f674d2efa2cf71bc2b84e236510c4a81b67479675c4b746926ab0ff93eb715dc0f72e9838020ad8fc38f7c3f6146713bcc6

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\qsml[5].xml

MD5 323c31cd936360f9df56d5e568218ba3
SHA1 65a77fe3fb66c16f05583ac8f96213f73daf6a8c
SHA256 bca560117fa117b59088d8388d16890a75eb27b2d817e88706d5167a00d7119f
SHA512 e3d1a28c0ec082418d8db6ae60dc01f3c786afad2059dc243e435b8e8441c0f237d283f1d9f04ceab685d22c1cf218b77393e0b94548ec1823b03b86a8451a25

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\qsml[6].xml

MD5 a5ff172459b4938fe18cbac96cab08fe
SHA1 db6cf3fc3600ed415c2e056a19888523b6b5afd7
SHA256 7722da18c06d995d0a3372fe3201673c395f8178388164c317a80d08c307d5dd
SHA512 fb486814aab755ce9fb106751df0625b278dfa7bc5853cbfc3073762d196fede06d18cc286c1ac7e5cff9b84e7494402b1e4a37e8cdd7cc7931ffef313ed5748

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\qsml[7].xml

MD5 07f9b1cf7dba94820aaa9b3bfe0784ed
SHA1 e891646b7cdce7d84fe7af78fae709077e0e6e64
SHA256 cefa6d6a3c4482f20cebb2919a7c3fe3ba54ad42510a61f3a84ae81e43bb00a9
SHA512 faabce8ac6ed6c726ea0f8ba23e6073022ddfe2559df62c72c2d6f176aaa9e2c7ed063f4a7d216033f794a87a4a6cfa70c42880923c51d4ef982f1e420754dbe

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\qsml[9].xml

MD5 3961c60a8d8e3f2c3e4c4f18720142bc
SHA1 ff9ed391ab915f42b1cd300c88f5e3751048f8a6
SHA256 8e9c03c9f76044b8bd4e53da20fc485642090aebcde6e97c9911cc8aba2cb5e8
SHA512 14a7cab2b6496a10cae61fd7f2fa5f657fad73f72ab57567c06833c257671ab8fc64afa23dc75c02aac4b3079a1ed77afbe5d4f43532fd1e9322035e397ab4ed

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\qsml[10].xml

MD5 88d9f166f374a3701c169f39dce1cc60
SHA1 8ca72c830f64b1a117bab285dfe992b8ef8e47f8
SHA256 c7a595fbc35849e022f5a0f9d4f2a24d1e5e77a1a6fb2045136015cac8b292b2
SHA512 9c13c5576557d50bc24aabe23425834f89b6a030d494806316896bfb6f227883cde71cf27216d619967038b1950b24177f9762c0736dead1d9d62e647bcdfe37

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\qsmlBPIKFMOW.xml

MD5 01072e860f183cb3d4a0760fa6cd910b
SHA1 044ebb218e321c453bf4bba15fa65e992821d234
SHA256 1c835094c7202273bd24cd0e70e763938c698447cd5fe064948143e51ec6f465
SHA512 cd134203390c269c4e8e69690584b6656f1126924394b09d096dafa829b8c508b4a3893c77502398b499b71c27849144995436b82eac36005ab77087224a0b4b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\qsmlIBU4DPJ7.xml

MD5 301318457b11e821b560585c2e84581c
SHA1 fd562d23dc23df4fa4c94f9214d76df90b44c155
SHA256 763e74224536ee6ded9b59c94aeca3693758eec84977d268140a12988f74c42f
SHA512 b623b17343a48de9f26b7e54095e3cf4dde475fbca80970f8e4e10ff94ec9a1a79d73184e5f0853e0f039dbcccedd6a0a1e406a778e8cbb5c849730da5e1c0f5

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\qsml0F4ODO1F.xml

MD5 cfba34a7399e3c1dc0efc84e1b5ec3b8
SHA1 d7547427b2982e7d3cbffe0ee37ae8ed7804a818
SHA256 fc7170b1b0defec35a9b7ba5162414efa739566e24dcdfa88168952e1116d07d
SHA512 6c5d51da037229845a589c8b126d4cebbb5731f10fb422d551f9ba3743d7beda84044ce564353ef6cc9118646abbc17bc65e671ff8145d7c12ef5f93f55372d5

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\qsmlDSTCDY1X.xml

MD5 7b929f8e2215b46eae53154d8a7fc377
SHA1 a4df30ba3511fe0f085ff0978c3f55c95bdb8fc2
SHA256 06d78ed10fc18935308f2b5ac29ab3ccae355705d9b2ce9bf3dec2d7d5ca0ed4
SHA512 a2a4143e187783d829f12b7fc84a9175f23336607a037b4c284dbf078e2f10c5b9eee7126b45b82133a50c1d8a79c1a769c4e672196b5eb6312b52763c417307

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\favicon-trans-bg-blue-mg[1].ico

MD5 30967b1b52cb6df18a8af8fcc04f83c9
SHA1 aaf67cd84fcd64fb2d8974d7135d6f1e4fc03588
SHA256 439b6089e45ef1e0c37ef88764d5c99a3b2752609c4e2af3376480d7ffcfaf2e
SHA512 7cb3c09a81fbd301741e7cf5296c406baf1c76685d354c54457c87f6471867390a1aeed9f95701eb9361d7dfacce31afd1d240841037fc1de4a120c66c1b088c

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\melo7gx\imagestore.dat

MD5 9cb10096668074dda9a2a24a08f0b6b0
SHA1 14830ac87f20d5f30779accfbe17fea758f81f2e
SHA256 d6c1a5c84728c323685151fc28121c8c2f2ad1ff9b247d51c5889ce088de8712
SHA512 7841ef4fda853f592fab22c9ad48037f13dc0ea559ca059c7e310856b5585050d67bf974211a7da149a5329d0a6c9c0e0d26cf9f34c9050739bec7c5d96f80ed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 21e845b274ce2ac58cd705c002b7bc37
SHA1 e12b8eaa3962f22bea04087b59d51444c10975cd
SHA256 d74e75835400436a0cceee44dbcbdc8591266e88ce4b4b22c3785dafc996f3d8
SHA512 e00cd5ea81e4f2de4d337532d8c6fdc5de8e4ba73cfc68423015138da5afbfc859ff29e611230af778d0509c80197f498c701fdd9e1bb146bea65a1a509c1b5e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5f268a09b67a553fd2fe6d22dc76e4dc
SHA1 c21447d0d053de620ec45b4a31628a28d3dff858
SHA256 1d0e4d56ec3de0af6e607221a747b4211b85c812254ba90fa6941081500a4678
SHA512 885d064f0fdb2937284870aa379de30246de74e67543e00635930ee32f12d9b044552a1ed982c6d32f4f05cc3afd5d89f7aaf309eedbec015c5ed61b755214b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cd038ac88927f848637acfe608c404cf
SHA1 254ff0eb917d73571bbea9f5aca0d9b8d2106d99
SHA256 d10b9396fee18bdeea7ef76c2ede6295b4c51f9edafa11b13ebafebfe0a0fb91
SHA512 ed5467a9b77e2fe6a72c8b375bcd60287adb23ec0d81812a88d61b76be52320950781451609bc27ab041dfd4afa5f68d51e3c31767a6b22a6f660419c4d49745

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7e447718e77e36b0fdb08d2bd38751b6
SHA1 c7742c8c20d17ba87dec002a0b2908ed33a2cadf
SHA256 714d6652020cbacc8a4c01f14c51a60397f1cb1893cdf231cc96ac137b13bd4b
SHA512 4470b9db7f646bcdb8c935a652bffc007102e039ed9ec05cf12c3814d2922515bb641c867b45a702d8480208a0ba09656b91459782275f2e54377ae36bd6d398

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4860a8aee61497c64cedc971178037d8
SHA1 d563e184d9084868562836f6c590ab6474c3fd9e
SHA256 e87fc572f9f4c3adf398ae52d303ed31732ada0f4046a849e9cbbd504565963c
SHA512 3efdd91f98b791fcab703a4316a0f0fcc94cb4021ac245218a1aed3566076518686d1c18736c1739ac7554056bd479807717f2fac4b89b3bdf0c61ade45fe3a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ad36df93b56a004dd6168ed27964434
SHA1 ef263d504341fa6d81678629295db57d5d3da617
SHA256 2b83d0e2a83425f8eeba527910a4f0e5f75a38358da26ac9bd27788e2261e04f
SHA512 02671d518e069ab0c5d34b10ecd84ddfea2ca77818811941fbf4cc4c0295c2ca6b39f258fbaf221809d6fd68508b3f944cea7909386b7e4e467baa9c079f0213

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 04aa3bb0e8034fae9145ef96654f67ed
SHA1 f412ded5ecd269c54ebeee3af7571c27bbb67284
SHA256 e20c9d460079c8de7b9aa0267f2672d807eefc76bcfc8fdb867831851140b041
SHA512 11ee3eabba224a968a149001b69430fe437bc3433a636dc5286271bd0936f47ee2cfedcecf7e129428d16af5b641c5649cc917ad362ae1be3cba0eda92895d0d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 38994723db193fa805f2a66e678bb118
SHA1 1f313ff134e2cb3d8770d1f1db23abc0dec1cc51
SHA256 a40ac2625f79e6c9cdce14289d07b11145392a754da9d40a8d15a253060f9c97
SHA512 8455bf121dd72dc3d2badf3b809299b35311ddcafeb88d51e0107d697b8504619ca9ab0171bca6d0ee2e71bcf05ec5a0716765fdc584cfbb6105d77678ed22ca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1809fa4cd50be09089824bb8372802e2
SHA1 65d7bef5d26289954ba383a449b0a15def7dd514
SHA256 f928e3aafaa02012403ffd7669c6d7892cc1692cd59225102a07d6cab55645cf
SHA512 4c50b9a40e10b5789999e6ce5cd3d5f60fa65f33c73f5e76bfd3ce251822655665bb9a069cf1a3ade0d9914a336b925d81a57793e0e407d065a11c029046116d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4b2916533dc418102e2b4009c908fe36
SHA1 1170718368c82403cb7178fbb7699a203d40d795
SHA256 7c38439f33cb50ee307ece48cb09c0456ac316741ecb463d5cc965748fd4497c
SHA512 3f173482b889be64bed013b99adf4d74c53950d9080f0a1b35e47124ce7c53c288f2b91b2495ea336eb835f0604dcf47e685ea6c847d82feab61e64d71328861

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 838fd7c35f49a0bb799085b1b79fd1f5
SHA1 84eb12f30175badcb382b0f04f492fee558605bc
SHA256 4727b6331a0582982f52f3eb322f51876ab6aef1034936e76396f3fb97cc9e45
SHA512 53a64244cc60476a6bab024ae0f838dcf818662eacde2e8570df5f2ddaa3b1a9a2cd64f23a78d60309d1ad3702f5c0f54368c8b8c672947fc28098aeed8525b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b96841e0ed6b8d61000b881795adb922
SHA1 13810d042f5b5f72a37699a1a0a18c0987ee24cc
SHA256 57f8219404faa9dadc513174178f790eb9b960cb67d82c597e65ff61bb9b0471
SHA512 0012f72dc8aa2689c3042dc2586f8a2a46a1fe20a6246bb3b71ed4c3119820b04d67d8871b9b8125df826e365170dc778d3c6b1e51ca650101fa070ed4feefb0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f49c1f02622d38f4a3e25ffb67a45b1
SHA1 d40b70cf7f5a9d70c4e3523be0fb7460fc0ec0bd
SHA256 1212cee806bf288c9a448992a75fbbc416436abe1d206d10d6fc107c2b8a4f70
SHA512 a549c0842b13e586fdd42ee7dc4bfe3d9b1644dd5c97b01fe3dfc09d94d729b84dd601901e5af6242da178b92a1f4ce39289cbf69dc84280f08cde8d904b4749

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b89b8a6c58bdbe858b53d04d54cf581c
SHA1 49b771e348f5b7cfd160e25aa398a30574e604cf
SHA256 7269c819e8653280cd897ed60ba05fa41407de44c6839ce8f599ef1889d66179
SHA512 29377034d5c291c5c6a09a39b0c2cadd5b26e885b1409376c7e733c15037def641af43e1f8224df58cc1ca73b1b33d01523e1711759ae7bcf02b7fe90dbfc427

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bf4820fa5fe36b2e56ee9ae74119e0a4
SHA1 29724c90f971f1aaa98478fcc028ea1ae9ba1428
SHA256 547615b1b41aa66f6f56018ac9137df202f542a52d36550fde78e31705683467
SHA512 b6b796ea5ef12724c711d9c33e5d9529cb878fe0e45fa6e5dc25308f8e35477b59f47a44a1e1cb2ed1932a274822321054ac64061837745fdc6cc2d1b232d0e3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0d415a94c2116cbaa8e64fe39457f304
SHA1 4aaac194a97caa6414e098e38abdc127c33cd03f
SHA256 5cbaaad996d0736760ed5aedc0b09f6b9d0794bf6c72bc0c391c6504c084353f
SHA512 62a77ceeafdedb8a999aad12689efa6b905d39bcb824ba814722a6d1707f550d6e3326f586400aa5636d15967266926a42144a19a875910b9f4831ee72272218

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6031e3840877d88194e9983ab4887bcf
SHA1 2449d881739ff13ff0cc1710b7e3c8fbc2d9c764
SHA256 91e323ede4747c792774267e9b01001a663cb318fd0234527522fd5dc2cfd1cd
SHA512 08bd7ff2761d0fdf5609e22a28cbee67ef4b06eabd5c76a8da779e4db128e7bed2f6e4314d73d215bac3ed47c9fa2b6867298ce0b2b14e9234cc9debe65096e7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ba40c4811607590202592dc1be44520e
SHA1 6b96f1f2dee495409f6fbf6cd3674f9b6b3e12fb
SHA256 de45bb19f37bc41501d4e9b9a263892a8ea2b68f55d630f2e95206ea1a098e5b
SHA512 1c6bfab79adc7023dac8094389b383ca8bf81445306a3e630a8fb201a1a6651abf6faa9827c929a53e9db7ea8f8e5aee1e050e665a73ba46d5b91a2f147bc86c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4bd2aa28c434f40dbe4225120fbdf041
SHA1 96dd1ee4f0cea151dd22ce94586966085bc485cb
SHA256 6372095be6c3e066a16cd8a852815b8ec916daee1d6ff831ff7ee52d1baef7d9
SHA512 5916349524b3f93c7c2e720eb76b8fa97f313be8371e8059782a0ce7d2914351d0f8d60f20d27ffa16ea669682442efc8005421742b0b54da3dcf1d3b5d50021

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6db2604e99663b9d3ed694d818232594
SHA1 1a748e9740dd0b162a8bd6295b1a89f7cb546511
SHA256 ed51f29f33f0eb4aa0391753dca4fbe9779ff7ae7ab829ba5a395d6ac4a00982
SHA512 4266bfb4602037d768f279fd76a8d63108fa205b7aa1340bb17b2c2a7ec6d0ed8f6e566f9700d8c0a51690d9d12514848bd5c8b3796bf20727de7149088cd07e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b751af632a65b94345646e7cc30c97e4
SHA1 ec4bb56542299d75a1943e9d5394fe808f6a2360
SHA256 75ca8da97cc7c414b196d09e281149e501e81c098a5991efa437024e9d54a56b
SHA512 f0f30f03522d50501aae14a7e9581c42ad97f93dec59638df5701ce23095ecf27dee26c9d12ef346df0e5281e10dade8db7aa0e8f6ac207b7a8edcec05ca2704

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0a34f82e07fcb07ce06c9739feaa7a34
SHA1 d780abb12c3797c15bf4e10bba2727cb80e16132
SHA256 b1398c6626afc2658342dffdf89d37747241aab0897230b3a72dfd7e52c7f9f9
SHA512 57917090deff368b8333d017ea7600061a078dd5d61515414e9f7de789ffbf5a7c740ec7fa8b17e81233157c479d0b5b7f842d218ec503fe11b71f6807b04222

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6054d3f316adcd5766428c373e5317df
SHA1 64ade2084244d35bb87dab81f2e5df62e1ea93f0
SHA256 d68101bea50469f62948d48dbca335a1ab91e47993aa6fe8a2447cbda017c822
SHA512 6a04609cc4b03944bfaedd1b63b8203d5100a86bb47eb0c23d5ba02894e09fe52e1182582d9d3dac0320bfe7417b3fd42226f1a4eb1b7adc933d748e431d2e59

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 be3faac9c864ae43a4d35a73c505601c
SHA1 74c0a346abe389105de063be64a399c72880578c
SHA256 44348eadb0759bc3bb9e4ba60346399685096ba04c3896bbd5592c42b2637421
SHA512 fcdd1eab8c28ce257ac4d774f30ab870b2febb22cdfd4df85b41acedfde297881bab5a304fd931be88210d404003dd063a9c841aefc5780a874dad2c6596aad7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0435ffce455d4a33cfa713d1c75fe3d4
SHA1 dde64992bbd8e6722c70ed64bc2c2d8637f7a60c
SHA256 cebcb9247923fe777768c79c783b88ed30818c8ea8735e222ce119e313a0204d
SHA512 94e9f6dbe4d4fe033cad79086d72c1c5fbd8a8809f206f917c646818d09e45e3c130b5a301002256288040d9aa7aab768109c1e2b9fc1a781d17742c083585d0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6640095d60da55b3dbdb6cfebe32a546
SHA1 3b38f683467b5c8faaf1b9ae76d52d75489ce42a
SHA256 a0f2ff265b20ae8498ff27500fac2e6297b43576a08dcf87a3072ed7cb32bab4
SHA512 e997f64ae1c96ba7ad712106a0f6be041bb99ea1e84429f6bfe079a0a131201323e57d35f40ad846aaaf6df3daad68fa3c3f6c16d952d788993bd855996d61f0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9befb0976cce2f0217be459b8a8fdd79
SHA1 05565445169c4e16eab2f34d6418428ce2855503
SHA256 4f5201e9c759735e369e4f357a9a0953deebb2b8a46da1904fd07e5f70570cf6
SHA512 8f11432a2d604f8fc0a95c6d43dcc77df46e3c469fa3ce6200609eb01d75b1bbd2f50c4ebbc2c86606af39298cbd921e751b9dd270009d05c766306685322d06

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\YVMO21PS\support.microsoft[1].xml

MD5 c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA1 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256 b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA512 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\TKTJLXBR.txt

MD5 09a276102a54f0e2f7b48698a43314c6
SHA1 ffd9434a664e75b21c41ad564a78f059c3863e9d
SHA256 fcb21f1e131af023af065e73acf3621df4521370d9a2ee7d4080f0d6283050ae
SHA512 273b7b595492ef2c5075236e089fec489aa27cb4a37c926aa6f118c491c4ecac3a1dc21656279e05509b932fc7557c7365cc791470343f5028318ffc6e489408

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 11f57bea2fe5e576c6951b8652d9a590
SHA1 795be3f3f096db6b36e0abac43d2eceef2a5b203
SHA256 aa3b9b16627f6ebdafc6f654543ecf6ba8f9553a39ac411a4a4430f49c7b00d9
SHA512 d69bcb730a529ebdb97dbec4e2ebfee4e3b6f2fb50cd4fb54da13d820d9974a01cf29576d777af455a204e6674481f1ce2891a334b5cb5af6ca1e7a1c81eece4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f2a0bfc661a2899e0457663f15759e99
SHA1 9755c11c475c9334b596033beade736cc5a5321e
SHA256 9976dd1699bc268806347000451472359e80552d6e165d83fbdd8abe333031f8
SHA512 91da298e9935fdd8bd47cb79f8824106780850f76ef72d96ac28925042d8846eb3436c3b8b1581982db9e3d471b1db69e22d11ad003319b013d3a23560441def

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1NWMKCC8.txt

MD5 cc805395aad85ba58e9303710a0268c0
SHA1 1c0cbe564620da45878e2ab01db334b0e6389f66
SHA256 437332fb56edf74ad5d16c3d074400c2d1344cdcda9108a9f817dc973b98c84a
SHA512 1b5a4b44b7812782b01b08dd83715c7e1d666b1d7f233434fc8a929d5da0f5241a86cbae19373b34a3e26bb475da0f620f4b6ccd4dd0344ea57d738df01a2890

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7ea49e9b9ff16435fff24b8277df972d
SHA1 2aad0dbab5654bea62ab0783ef17061bf0740b80
SHA256 9542c39ec7f5688fc7cf2a62658baaf29850284c668e5ac8be8b53c846341a67
SHA512 db54bca990573a265415007a371b4b02d875071e277b08c73631400cc5b570f71e0a5e93d17265586f917468e404b2573472b59ea659523f6b7c9035a5339b1e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f6177dbd93646c28fa6b01b1a1ed972a
SHA1 a29b59105c92ac1a605fa3908797ace5046a76d3
SHA256 6ccd9bff4c5546b82790c11518b62e50e2f7775dc727da2557ee45dae2ac5c88
SHA512 644d229c008b40469376be163ab9e55238c83b1b7e1f90a9538d8bb362d7a8c928939208f506f06c66115e504dafc7044f60bc9670d61fbe6eafbb974044d614

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\favicon-32x32[1].png

MD5 fb2ed9313c602f40b7a2762acc15ff89
SHA1 8a390d07a8401d40cbc1a16d873911fa4cb463f5
SHA256 b241d02fab4b17291af37993eb249f9303eb5897610abafac4c9f6aa6a878369
SHA512 9cbcf5c7b8409494f6d543434ecaff42de8a2d0632a17931062d7d1cc130d43e61162eedb0965b545e65e0687ded4d4b51e29631568af34b157a7d02a3852508

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\melo7gx\imagestore.dat

MD5 b311bf347bed8c1f71886bbf685c152f
SHA1 55f22a48d5b59d4531c7ea8bd41e6f11c6ece9bc
SHA256 5af5231d327d3f666000cc43a6d815221968054842872032de8628dfa8ca6d2f
SHA512 a3f8c122c06369c8b58596e5aa4e8bba67b62fce14e500da6572ae2537dbe589e22b916f889fb2d2beb3694c204f76c4cf89a8d10b0988e767955c3a4127da54

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IGJQW15L.txt

MD5 b5bd70c2ed95e44b2479509e8c20d666
SHA1 30d374dc8297b7c1c8b1c8d04dd091b0558bd349
SHA256 d43486d92388f56154ed52c2726a36ca277f8147829ce3440716d9683b003936
SHA512 f637cb0825d1f52b3cfd3d9e231384204863ad5d4a96815f89022c5f30e783af0a94ec390668574472c45cbee72427e2570ff8ab1fc0679a5c144e01280ffdd1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f9f449a786f58bc2e9b71b709d6208a4
SHA1 0b6e3f03788f0fe15d3c70751d66da733ae74761
SHA256 bcf707da3a2b3c8489685760ff710eb1a471cf6f32d86773a53c0fe0abd90867
SHA512 02463398d21d371c3616905049eca1ae0b9317d89609ed239863d0ed99b9206c582c580ca880176362dba49717f69c075409939c590ca6018bb4ff96541baa20

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 461fea36c80b407c57ffacb30583ec86
SHA1 9acf0426b37652ea4be639926f1eb9cb712df83f
SHA256 4c5dce8a68c829be70f57e7902cf0816d2355275281d5877bdc7f4518f45cafa
SHA512 214a0d7b2a36582888e944cc471dc4483a7177a5ec2555226f3331484109c37475f81c69c410e68a55b783d2543e83d83c6b730cda7f6636d4a2f5cf2419f769

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 718af5ffc8e20c9d9918d152fc7cde41
SHA1 f1d3ec38786c43df2b5961d0a2ca90ddf2ac4e53
SHA256 ad24de1bb659287042551b0d56ddbd8b630d515cbcebb664642da734ff3a5df6
SHA512 f9440b45fc64b692b49077892fd511cb13f4fc80ed40718e36e91a68d379cfb0e600bd694dd1fbaa5a299325dbd555fb0c873ebf193f6b73897d9c623c36e16e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3976f9189a6a76bd8573c2816d5d3858
SHA1 1769dd4eb7286f02b0c9e87be1d43d38b35cebba
SHA256 7c8da8a70b2b78988421314cfd68897f42004ee438a86e1e6cdd435b8d53b03d
SHA512 db1b451ad1ceb9ee1b572b126168ddc10d767d7e3843d2aaaadf9202b113b5764850f1d690012cff8374b8a8bb85b15d0e72dd1bb6a9ccb0989e2deb6ab0c0a3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c3697c0571161215b6ca9d932b1332a0
SHA1 595420c1ac6358f74544c801a79da8da77ffc8a7
SHA256 79fb6342944dec773cb83503da81045cbe61680f121c16bef338191c8dd3ab02
SHA512 cfd2db5edcc90e6865341883298968bccf966267f3020c44189b86ed25aab2cee45aef2d869f0d40333f64997055cffcd53369afc475cc6c70ea020e3b16671e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 33ad1b356e4ba33c7a351d58b1b6d480
SHA1 32e4ca03e267b78b741a636b3f62b1f3d5d5f077
SHA256 fd64df445e8e5f08ca7265ba6853587fe4105200f8aa3a95fd6210653bb51423
SHA512 7092665ec34553c490207d896550cc7ce1eb05809e324cc4242f580088b50a51e9ba9d2baf24a900b60fcf708f6dd643bd31d38b4464df4cd08a38125a8e07e4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1aaf0a6d42f3ff6c4602501acc7d771c
SHA1 a75e8e2785a9fda337ce7f85d95f53df65a05b16
SHA256 cca51f981ffabfb792dfc5278a01c14033d326454042e252ba90a2087f9ea7e2
SHA512 d77844b2b52b14942dc8c37b442e4318362f78f866eff383b02c67faf3ff912085dbd72559c1465610f51f40baabdc33eaebf3cfd16b9f73e762eb2eab152a3e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 98f4f9ff28bfd18ff0b32095795eced4
SHA1 e92361ac1706675ad0525ef3cbdcb31c995b0567
SHA256 18924e8324d5dd9ecca0e451656ee78fa6084382eee1c63e1b6e72b673e902b7
SHA512 e72f1c944acd71412df4f33f305eb96b441ee3b403b06f474871115db9dad9fec2979efe3bf9fae7df670c5172e8d1e4bb91dff8a89228a8ca0b626ea55ded01

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a74924c8b4cc8b018c9ee60f1d2d1162
SHA1 26af67e6e522ea21c2d56b9f895493baed0de98e
SHA256 c325446804b274921f9e71183ba221f84403c50a0f085a1d6d81492d8ec3aad9
SHA512 6b8f926990097ccedd44c067ed9779b4bcb5e481d7d06fe7338788cc0013e86415dec5accd668cd41df32df29db1d282aa5275f64ff749ee2c68bd7d468602b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d60d1b63b852e6b0543b0a787f17b47a
SHA1 c5279db8148db6b7cf9dc6525eb1443d8fa6c1a2
SHA256 78187ba91a80ea20ba9542cf780bd64ca199fc9e0a930ba38f0b3445647d44dd
SHA512 9fb57cf255f2e96478f066c7a0c84a38638d28c8a845a8af45f2cd372cb23bd0327c6618d7cffd35e892faa1316c4cdeee23ac7cc8d5a3b2c14814a84b756aac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 948d4e5ba8ca2a9c1bfc1defd8cfcc44
SHA1 cd629949974e38e88993dda3360364583b522dc1
SHA256 767cfd1013f32c20fdfb983c69170708a9c601bd1757715433d7fbd285a4c44a
SHA512 f4ea10f7c30b8fae16f8885cdec1ec8c4bb3da24f37c539928018c805886f5bd6bd8b1a70bd72b3a2cd9563d44cb6ec676086060188f1212cf6fbfc11cd2e9c8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 33acea74a038890850acc966da08c0f3
SHA1 33888486b19d9bb2bc4bb0feff7d8da80dc08938
SHA256 df2e69a5cb5b29723ddff8dbef134905792070b6b27897c3be33d25eb33423ae
SHA512 45f19d7f602ae7d5ce3191fe6204f0dfe04aaec5200100083d1dae0f7813ac51e57a157e4b7a4aad87ffceaac7ce93280d19d08144ab71b04cf4568803c62645

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 16e03963ff18570618dc2ba90e61ac17
SHA1 715dbe219d85b4c926aaabd92b75fa1f60b0145e
SHA256 064e799fbdc1701c837e4821af6b27fcdaa0c07b03f6dc452b012b62ead674e4
SHA512 090bc0eeb4670c4875de6f6a29355cccaaf10cf5820d1697eb7006ac63ae94718aae5e3fdc624e1e58973f504f9e82bd54dc8acf90ec1ec1d54de2dc173f4bd2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 8b61bc2319d972e443d5bf65e9e0cc61
SHA1 576cdcb9b022af2fbc3c9ae147c57ffceaf3a2f7
SHA256 d2be69e936c4e4501a79ff5c4b27de94bab7570af050312f2d1bc527dbf6843e
SHA512 3b1dc1ec5f19604f1317629c7ce92153632521409de00885f6987eb8821744c8b9fe7d3afe8e292df8efb5bdba596b8a72ed8fd2bf33f0059038eb628e95a402

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 5fafeecfd5c2214629d3bdf2e9d42297
SHA1 40f4e87b2077d9449b1e4588984b24e1da3dd670
SHA256 636d55bd3cfa140c717e2e5b0257b0ac79d341fa6dc3bf87d538ead0666fca14
SHA512 71d1eba9688f19ea412c93de519b921bc860f073fccd54ed35f6b725d37b54ff168bef24697e883a00ce0e8d05e39409af447d4d700532d07bc080bb7772b081

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\invalidcert[1]

MD5 a5d6ba8403d720f2085365c16cebebef
SHA1 487dcb1af9d7be778032159f5c0bc0d25a1bf683
SHA256 59e53005e12d5c200ad84aeb73b4745875973877bd7a2f5f80512fe507de02b7
SHA512 6341b8af2f9695bb64bbf86e3b7bfb158471aef0c1b45e8b78f6e4b28d5cb03e7b25f4f0823b503d7e9f386d33a7435e5133117778291a3c543cafa677cdc82d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8P9TO0C6\ErrorPageTemplate[2]

MD5 f4fe1cb77e758e1ba56b8a8ec20417c5
SHA1 f4eda06901edb98633a686b11d02f4925f827bf0
SHA256 8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f
SHA512 62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8P9TO0C6\errorPageStrings[1]

MD5 e3e4a98353f119b80b323302f26b78fa
SHA1 20ee35a370cdd3a8a7d04b506410300fd0a6a864
SHA256 9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66
SHA512 d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BCOPU31\httpErrorPagesScripts[1]

MD5 3f57b781cb3ef114dd0b665151571b7b
SHA1 ce6a63f996df3a1cccb81720e21204b825e0238c
SHA256 46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad
SHA512 8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8P9TO0C6\invalidcert[1]

MD5 8ce0833cca8957bda3ad7e4fe051e1dc
SHA1 e5b9df3b327f52a9ed2d3821851e9fdd05a4b558
SHA256 f18e9671426708c65f999ca0fd11492e699cb13edc84a7d863fa9f83eb2178c3
SHA512 283b4c6b1035b070b98e7676054c8d52608a1c9682dfe138c569adfecf84b6c5b04fe1630eb13041ad43a231f83bf38680198acd8d5a76a47ec77829282a99fa

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\red_shield_48[1]

MD5 7c588d6bb88d85c7040c6ffef8d753ec
SHA1 7fdd217323d2dcc4a25b024eafd09ae34da3bfef
SHA256 5e2cd0990d6d3b0b2345c75b890493b12763227a8104de59c5142369a826e3e0
SHA512 0a3add1ff681d5190075c59caffde98245592b9a0f85828ab751e59fdf24403a4ef87214366d158e6b8a4c59c5bdaf563535ff5f097f86923620ea19a9b0dc4d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\green_shield[1]

MD5 c6452b941907e0f0865ca7cf9e59b97d
SHA1 f9a2c03d1be04b53f2301d3d984d73bf27985081
SHA256 1ba122f4b39a33339fa9935bf656bb0b4b45cdded78afb16aafd73717d647439
SHA512 beb58c06c2c1016a7c7c8289d967eb7ffe5840417d9205a37c6d97bd51b153f4a053e661ad4145f23f56ce0aebda101932b8ed64b1cd4178d127c9e2a20a1f58

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BCOPU31\red_shield[1]

MD5 006def2acbd0d2487dffc287b27654d6
SHA1 c95647a113afc5241bdb313f911bf338b9aeffdc
SHA256 4bd9f96d6971c7d37d03d7dea4af922420bb7c6dd46446f05b8e917c33cf9e4e
SHA512 9dabf92ce2846d8d86e20550c749efbc4a1af23c2319e6ce65a00dc8cbc75ac95a2021020cab1536c3617043a8739b0495302d0ba562f48f4d3c25104b059a04

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8P9TO0C6\down[1]

MD5 c4f558c4c8b56858f15c09037cd6625a
SHA1 ee497cc061d6a7a59bb66defea65f9a8145ba240
SHA256 39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781
SHA512 d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\background_gradient_red[1]

MD5 337038e78cf3c521402fc7352bdd5ea6
SHA1 017eaf48983c31ae36b5de5de4db36bf953b3136
SHA256 fbc23311fb5eb53c73a7ca6bfc93e8fa3530b07100a128b4905f8fb7cb145b61
SHA512 0928d382338f467d0374cce3ff3c392833fe13ac595943e7c5f2aee4ddb3af3447531916dd5ddc716dd17aef14493754ed4c2a1ab7fe6e13386301e36ee98a7d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

MD5 5b6ec5a076d2950d035cba10fc2bd00e
SHA1 8980d65b27dec50ab3b286ca32948fd63cf3a1f8
SHA256 d289ead4de9176d752582b11d8a6e3497a89a2ab70a146e4557efb52bdde8bb9
SHA512 89d0aca3f90eca73538ee5ed49f011099bfc464d31b9837f89963b66e5daec9ec17e0a519db52b4bbf08f171e578766fbfbcc2035d9a75f027e4191436ea9b09

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

MD5 f55da450a5fb287e1e0f0dcc965756ca
SHA1 7e04de896a3e666d00e687d33ffad93be83d349e
SHA256 31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0
SHA512 19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\windows8.1-kb4486105-arm[1].msu

MD5 92f3d6786a3ae13438615016c4e1b27f
SHA1 e7d5fa4524416969962dd82b4212de8b36f47026
SHA256 74672d1517eb93b98f257cbf9d1c82c8fe531cd2a288da8c83c25a7d6c87727c
SHA512 c6f88767fa57be4eba1abfa0d10e260bf1d62da09a22109c36e28ced44165f7bd189096d6bc9b8d80b2ad4b182f2136dbc023c4b626d6f516445b2c50b3a353b

C:\7091662e697d164f5c\WSUSSCAN.cab

MD5 639d74aa63da56c04fd81fd32638c4f3
SHA1 7f73489768ef5601457ed0fd32f49c708a19bd67
SHA256 6b83057f84f35693a14a18021e4a86158f2764253d80963587540e21ee642143
SHA512 39a3cad3a2048a99dce70b51ea95543fe508ec01f72a6aa15fe9c363fef960fa8d1ad0a0fa240695f5bb1c5faac07c9773c41e05ac269355257c095d3f5ab8cf

C:\7091662e697d164f5c\Windows8.1-KB4486105-arm.cab

MD5 4b08af2765f6bc417badb63fd220afc1
SHA1 b6049ea7a691cb63a23c90caf9260487f27e3c7a
SHA256 104f0b09f3d044bf438c5fff07c757cb3b7efd866c5dd064c6b39dc71421c283
SHA512 2812f29ab6ac01647502f4a53f82542938c4cc79052334c155723a6b40fbb48481a9690e0353479c17dfc9479c6a8e8ac3fb5f57bcd4ab6b6b316f1559221de6

C:\7091662e697d164f5c\Windows8.1-KB4486105-arm-pkgProperties.txt

MD5 a0545a59579124d97ca47ae3bce62e94
SHA1 0436fcb2fa79e1d689cb7e7fc546ac437c542cda
SHA256 4859ced35862b5a9703bf2948c30d3bee8e30031da5bee383501a65721df5254
SHA512 b8b231bbbc5e8817257fdb181d278a1093bf417c3f5d89ed53e5220e96701c716de2fe252ef32010d5fd9478d26e1876f756219f4d969ede8e62ee313301d1d3

C:\7091662e697d164f5c\Windows8.1-KB4486105-arm.xml

MD5 45446d49f8b49c7fbf130b8d7e00b910
SHA1 8e785e889f417973d7d8fe43c93e8c3257824774
SHA256 a8c594cf0c611d0edbe45e86e722a015cf23b8ea47e11942a6917218312d5ce3
SHA512 4203ff8781edf773efa9210a3a1b745475c81c89e30e3a29973ee2582d5e593687019742de3ea0695b278629eb121d86d2df7a0918a81757f09b63126ed32a03

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-13 01:07

Reported

2025-02-13 01:16

Platform

win10v2004-20250207-en

Max time kernel

474s

Max time network

492s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\SilverRat.V1.5.Re.Lab.rar"

Signatures

SilverRat

trojan silverrat

Silverrat family

silverrat

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Sets file to hidden

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zO890914AD\SilverRat.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\hgfdfd\\$77Runtime Broker.exe\"" C:\Users\Admin\AppData\Local\Temp\7zO890914AD\SilverRat.exe N/A

Checks installed software on the system

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\TransparentAdvertisers C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\Sigma\Cryptomining C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win10\identity_helper.Sparse.Stable.msix C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\microsoft_shell_integration.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\MicrosoftEdge_X64_133.0.3065.59.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedgewebview2.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\notification_helper.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\wns_push_client.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\identity_proxy\win11\identity_helper.Sparse.Beta.msix C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\stable.identity_helper.exe.manifest C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Temp\source3676_404238265\msedge_7z.data C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\Mu\Advertising C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\it.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\fr-CA.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\mt.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ru.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge_elf.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\telclient.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Content C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\SmallLogo.png C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win11\identity_helper.Sparse.Stable.msix C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\el.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\am.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\nb.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\pl.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\kn.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\delegatedWebFeatures.sccd C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\onnxruntime.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\dxcompiler.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\TransparentAdvertisers C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\MEIPreload\preloaded_data.pb C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\oneds.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\LogoDev.png C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\tr.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win11\identity_helper.Sparse.Canary.msix C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ko.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ta.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\de.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\sq.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\sr-Cyrl-BA.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\bg.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\delegatedWebFeatures.sccd C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\edge_game_assist\VERSION C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\delegatedWebFeatures.sccd C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\msedge_200_percent.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\ar.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ml.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\dxcompiler.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Installer\msedge_7z.data C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\as.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\settings.dat C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\hi.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\vk_swiftshader_icd.json C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Staging C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\cs.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\he.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win10\identity_helper.Sparse.Beta.msix C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\ca-Es-VALENCIA.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\fr-CA.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ne.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\settings.dat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Cryptomining C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\3aac5099-b573-453b-bcb1-ca548002fe8a.tmp C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\AppUserModelId = "MSEdge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\AppUserModelId = "MSEdge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO\\ie_to_edge_bho_64.dll" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\runas C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\AppUserModelId = "MSEdge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.mhtml\OpenWithProgids C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\ = "ie_to_edge_bho.IEToEdgeBHO.1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\ = "PDF Preview Handler" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\shell\runas\ProgrammaticAccessOnly C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.xht\OpenWithProgids C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\Version = "1.0" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{31575964-95F7-414B-85E4-0E9A93699E13} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\notification_click_helper.exe\"" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\ApplicationDescription = "Browse the web" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix C:\Windows\system32\wwahost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationDescription = "Browse the web" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.xht C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32 C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CLSID\ = "{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Program Files\7-Zip\7zG.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\DefaultIcon C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\runas C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\ = "TypeLib for Interface {C9C2B807-7731-4F34-81B7-44FF7779522B}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.xhtml\OpenWithProgids C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ie_to_edge_bho.dll\AppID = "{31575964-95F7-414B-85E4-0E9A93699E13}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ = "{2397ECFE-3237-400F-AE51-62B25B3F15B5}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ = "{2397ECFE-3237-400F-AE51-62B25B3F15B5}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\ = "ie_to_edge_bho.IEToEdgeBHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\ = "{C9C2B807-7731-4F34-81B7-44FF7779522B}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\EnablePreviewHandler = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\Application C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationCompany = "Microsoft Corporation" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\ApplicationCompany = "Microsoft Corporation" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000_Classes\Local Settings\MuiCache C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\EdpDomStorage C:\Windows\system32\wwahost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\notification_helper.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\ = "Microsoft Edge HTML Document" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\image/svg+xml\Extension = ".svg" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\open\command C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.svg\OpenWithProgIds\MSEdgeHTM C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/html C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.mhtml C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\AppUserModelId = "MSEdge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe N/A
N/A N/A C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO890914AD\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO890914AD\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO890914AD\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO890914AD\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO890914AD\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO890914AD\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO890914AD\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO890914AD\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO890914AD\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO890914AD\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO890914AD\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO890914AD\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO890914AD\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO890914AD\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO890914AD\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO890914AD\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO890914AD\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO890914AD\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO890914AD\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO890914AD\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO890914AD\SilverRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO890914AD\SilverRat.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 33 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wwahost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wwahost.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO890914AD\SilverRat.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\wwahost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 424 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\MicrosoftEdge_X64_133.0.3065.59.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe
PID 424 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\MicrosoftEdge_X64_133.0.3065.59.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe
PID 3676 wrote to memory of 976 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe
PID 3676 wrote to memory of 976 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe
PID 3676 wrote to memory of 1460 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe
PID 3676 wrote to memory of 1460 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe
PID 1460 wrote to memory of 768 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe
PID 1460 wrote to memory of 768 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe
PID 3676 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 3676 wrote to memory of 3680 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 3676 wrote to memory of 4140 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 3676 wrote to memory of 4140 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 3676 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 3676 wrote to memory of 2392 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 3680 wrote to memory of 60 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 3680 wrote to memory of 60 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 4140 wrote to memory of 5068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 4140 wrote to memory of 5068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 2392 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 2392 wrote to memory of 2096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 4248 wrote to memory of 4712 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO890914AD\SilverRat.exe
PID 4248 wrote to memory of 4712 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO890914AD\SilverRat.exe
PID 4712 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\7zO890914AD\SilverRat.exe C:\Windows\System32\attrib.exe
PID 4712 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\7zO890914AD\SilverRat.exe C:\Windows\System32\attrib.exe
PID 4712 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\7zO890914AD\SilverRat.exe C:\Windows\System32\attrib.exe
PID 4712 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\7zO890914AD\SilverRat.exe C:\Windows\System32\attrib.exe
PID 4248 wrote to memory of 1356 N/A C:\Program Files\7-Zip\7zFM.exe C:\Program Files\7-Zip\7zG.exe
PID 4248 wrote to memory of 1356 N/A C:\Program Files\7-Zip\7zFM.exe C:\Program Files\7-Zip\7zG.exe
PID 4712 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\7zO890914AD\SilverRat.exe C:\Windows\system32\cmd.exe
PID 4712 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\7zO890914AD\SilverRat.exe C:\Windows\system32\cmd.exe
PID 2120 wrote to memory of 1644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 1644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 3264 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe
PID 2120 wrote to memory of 3264 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe
PID 3264 wrote to memory of 852 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3264 wrote to memory of 852 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3264 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3264 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3264 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3264 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3264 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3264 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3264 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe C:\Windows\System32\schtasks.exe
PID 3264 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe C:\Windows\System32\schtasks.exe

System policy modification

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\SilverRat.V1.5.Re.Lab.rar"

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NzlCRjk5OUQtNEUzQy00OEI4LUE4QjItMDdCOThCQzE1Njk1fSIgdXNlcmlkPSJ7QURCNzFDNDQtOENBNS00OEU5LUI2RkQtQzY2NzRCQ0NFRkM5fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NDhGNUZDQTItNEQ3QS00MDA1LUFBRUMtOEJFM0IxRkIyNzI3fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5MjEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODE5ODA3NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTc1NDUyNjM5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\MicrosoftEdge_X64_133.0.3065.59.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7859d6a68,0x7ff7859d6a74,0x7ff7859d6a80

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7859d6a68,0x7ff7859d6a74,0x7ff7859d6a80

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7ec9b6a68,0x7ff7ec9b6a74,0x7ff7ec9b6a80

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7ec9b6a68,0x7ff7ec9b6a74,0x7ff7ec9b6a80

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7ec9b6a68,0x7ff7ec9b6a74,0x7ff7ec9b6a80

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness

C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe

"C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch

C:\Windows\system32\wwahost.exe

"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa

C:\Users\Admin\AppData\Local\Temp\7zO890914AD\SilverRat.exe

"C:\Users\Admin\AppData\Local\Temp\7zO890914AD\SilverRat.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe"

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\SilverRat.V1.5.Re.Lab\" -ad -an -ai#7zMap15205:122:7zEvent19242

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp54D5.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /query /TN $77Runtime Broker.exe

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /Create /SC ONCE /TN "$77Runtime Broker.exe" /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe \"\$77Runtime Broker.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /query /TN $77Runtime Broker.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /sc hourly /mo 1 /tn "Runtime Broker_Task-HOURLY-01" /tr "%MyFile%" /st 00:00

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 172.169.87.222:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 199.232.214.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 www.office.com udp
US 13.107.6.156:443 www.office.com tcp
US 8.8.8.8:53 res.cdn.office.net udp
GB 96.17.179.176:443 res.cdn.office.net tcp
GB 96.17.179.176:443 res.cdn.office.net tcp
GB 96.17.179.176:443 res.cdn.office.net tcp
GB 96.17.179.176:443 res.cdn.office.net tcp
GB 96.17.179.176:443 res.cdn.office.net tcp
GB 96.17.179.176:443 res.cdn.office.net tcp
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
GB 172.165.69.228:443 nav.smartscreen.microsoft.com tcp
GB 172.165.69.228:443 nav.smartscreen.microsoft.com tcp
US 8.8.8.8:53 data-edge.smartscreen.microsoft.com udp
GB 172.165.61.93:443 data-edge.smartscreen.microsoft.com tcp
GB 172.165.61.93:443 data-edge.smartscreen.microsoft.com tcp
GB 172.165.61.93:443 data-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 auto-london.gl.at.ply.gg udp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 147.185.221.19:51655 auto-london.gl.at.ply.gg tcp

Files

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A5F26DA2-00B9-4252-AC7C-9486AF19D75A}\EDGEMITMP_43538.tmp\setup.exe

MD5 1b3e9c59f9c7a134ec630ada1eb76a39
SHA1 a7e831d392e99f3d37847dcc561dd2e017065439
SHA256 ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae
SHA512 c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e

\??\PIPE\wkssvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

MD5 ad5f7dc7ca3e67dce70c0a89c04519e0
SHA1 a10b03234627ca8f3f8034cd5637cda1b8246d83
SHA256 663fe0f4e090583e6aa5204b9a80b7a76f677259066e56a7345aebc6bc3e7d31
SHA512 ad5490e9865caa454c47ec2e96364b9c566b553e64801da60c295acd570017747be1aff6f22ca6c20c6eee6f6d05a058af72569fd6e656f66e48010978c7fd51

C:\Program Files\msedge_installer.log

MD5 b66e42d23135a7453b05c823deae1bbd
SHA1 4f94b3b60ce38b45816bad7e433bca621f0b95c6
SHA256 6b7a57e6787112da8f6eee4226d6d703498cd64073c4d78fe18ecc24622d690e
SHA512 3efd9e7be65ca1cf5322d4e1d25998bb1e8cb84f18688c59b01bf38a4ca441a48037f95c272cf06665d8047509593debcd6f132668a830432402120c2db82f9a

C:\Program Files\msedge_installer.log

MD5 2a135f6556e364c1dc26be2a8a59a7ba
SHA1 e8afb9a005cda1b37cc45e4da5116163682484d2
SHA256 cec853083561ac17c2b29fabfe204d11c4fed0b2f3f52665657c532494ce6eab
SHA512 42c0804472d63f23e091ae0b0c01674af5187e48cec43ca727e48249c4297adf92d29743043514d4ec0f1cbd8f98b0bf7571ef777ce650d88e02fb423068729e

C:\Program Files\msedge_installer.log

MD5 8adcfbaf7c75da984040df98cdf38878
SHA1 c0faff7584ae7ce340804fa5e70bf666c875cacf
SHA256 629d37257a59baa9fb4f31bd95c449b02ae48dbae19bd144658e6675da433f89
SHA512 b43445197155b767756e405e7daeb0c72b18403d9b0f25afdf0cfa44cd0abac33ff396cf4ad1b6944fa82bac1fd82a5eb7a3dd0a9946ab3c4d586ff79cadac6f

memory/1992-71-0x0000026499650000-0x000002649965E000-memory.dmp

memory/1992-72-0x00000264B3B70000-0x00000264B3B7A000-memory.dmp

memory/1992-73-0x00000264B3BA0000-0x00000264B3BA8000-memory.dmp

memory/1992-74-0x00000264B5000000-0x00000264B5249000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zO890914AD\SilverRat.exe

MD5 545d64cc91e4da6339a70d54a2443c5d
SHA1 f03344ab824c7cf0f73dcc86aa34cab36e2e54e7
SHA256 04109cb3426408945bea79e8e355285fb5bf93224b5b2775a5f6ff6c1e992b5f
SHA512 733154a7f76840fad3ead2af149cf708807878ef3f08c62232ee3cdc0b7e6a4b4dc338103569daf9f755a6549475df15b34b7f223929348001d4086e83371681

memory/4712-141-0x00000000006C0000-0x00000000006D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp54D5.tmp.bat

MD5 cea9709e87eabb13e3a256c69375c261
SHA1 5d6278484012fb9c9b8d6bc11c468611558bb30d
SHA256 ca1cc1a6fd0dc93c7f5efcbd8ab702a878828bbde621a88343251629561af1a4
SHA512 52dbd12282995e8c677940b9607df01eb414e925211f0b65737f90e861a4bd057ba8b60067732fdb45d71ebe2ed097c2cdb117778443a24454d0c0add7021b8e

memory/2060-155-0x000001917A8B0000-0x000001917A8D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uq0lcpdm.hj3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82