Malware Analysis Report

2025-03-15 01:11

Sample ID 250214-fh43hstlaz
Target config1.exe
SHA256 bc6832776e4b42a72e1820afa59f370ce3b50bfb1b28dfa5eaf51a27c05a2525
Tags
silverrat defense_evasion execution persistence trojan discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bc6832776e4b42a72e1820afa59f370ce3b50bfb1b28dfa5eaf51a27c05a2525

Threat Level: Known bad

The file config1.exe was found to be: Known bad.

Malicious Activity Summary

silverrat defense_evasion execution persistence trojan discovery

SilverRat

Silverrat family

Downloads MZ/PE file

Sets file to hidden

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Delays execution with timeout.exe

Views/modifies file attributes

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-14 04:53

Signatures

Silverrat family

silverrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-14 04:53

Reported

2025-02-14 04:55

Platform

win7-20240903-en

Max time kernel

137s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\config1.exe"

Signatures

SilverRat

trojan silverrat

Silverrat family

silverrat

Sets file to hidden

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\discord\$77discord.exe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\discord\\$77discord.exe.exe\"" C:\Users\Admin\AppData\Local\Temp\config1.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\config1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\discord\$77discord.exe.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\discord\$77discord.exe.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2268 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\config1.exe C:\Windows\System32\attrib.exe
PID 2268 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\config1.exe C:\Windows\System32\attrib.exe
PID 2268 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\config1.exe C:\Windows\System32\attrib.exe
PID 2268 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\config1.exe C:\Windows\System32\attrib.exe
PID 2268 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\config1.exe C:\Windows\System32\attrib.exe
PID 2268 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\config1.exe C:\Windows\System32\attrib.exe
PID 2268 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\config1.exe C:\Windows\system32\cmd.exe
PID 2268 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\config1.exe C:\Windows\system32\cmd.exe
PID 2268 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\config1.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2716 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2716 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2716 wrote to memory of 2240 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\discord\$77discord.exe.exe
PID 2716 wrote to memory of 2240 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\discord\$77discord.exe.exe
PID 2716 wrote to memory of 2240 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\discord\$77discord.exe.exe
PID 2240 wrote to memory of 2584 N/A C:\Users\Admin\discord\$77discord.exe.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2240 wrote to memory of 2584 N/A C:\Users\Admin\discord\$77discord.exe.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2240 wrote to memory of 2584 N/A C:\Users\Admin\discord\$77discord.exe.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2240 wrote to memory of 2652 N/A C:\Users\Admin\discord\$77discord.exe.exe C:\Windows\System32\schtasks.exe
PID 2240 wrote to memory of 2652 N/A C:\Users\Admin\discord\$77discord.exe.exe C:\Windows\System32\schtasks.exe
PID 2240 wrote to memory of 2652 N/A C:\Users\Admin\discord\$77discord.exe.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\config1.exe

"C:\Users\Admin\AppData\Local\Temp\config1.exe"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\discord"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\discord\$77discord.exe.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1729.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\discord\$77discord.exe.exe

"C:\Users\Admin\discord\$77discord.exe.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /sc daily /tn "discord.exe_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 AK505-50624.portmap.host udp

Files

memory/2268-0-0x000007FEF5CD3000-0x000007FEF5CD4000-memory.dmp

memory/2268-1-0x000000013FB00000-0x000000013FB0E000-memory.dmp

memory/2268-2-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

memory/2268-3-0x000007FEF5CD3000-0x000007FEF5CD4000-memory.dmp

memory/2268-4-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1729.tmp.bat

MD5 0c5ecad49b901897500a48025ec0e8df
SHA1 4ef55aaa4c7f21c86efcb9b40e096178e314425f
SHA256 cafbfb78ea0ddb266c9f7696a4a05561b0daf04813b0a0e2767694f958bb202a
SHA512 78e9daae3715e7f80078b705feccc85c5718cec61ef9747eafd8922e65a625e3b66ce393018cdd72ef13cc76dc2000523dc6cd53e16410cc60af3eec554491b8

memory/2268-14-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

\Users\Admin\discord\$77discord.exe.exe

MD5 d06827fc48693f1b3392ce2459929593
SHA1 bf29a0d5f3263fc06fe2d239e59252fe581fdcba
SHA256 bc6832776e4b42a72e1820afa59f370ce3b50bfb1b28dfa5eaf51a27c05a2525
SHA512 37e668350f5ce2d30ce811df4aeb46ad0f073e4832f1492ece149858cdd0217b2407fba574dff0122e10d9dfbc53cc55dc91f0c2e977b7f0fa1bbac668cb5b4b

memory/2240-19-0x000000013F7D0000-0x000000013F7DE000-memory.dmp

memory/2584-24-0x000000001B5A0000-0x000000001B882000-memory.dmp

memory/2584-25-0x00000000026B0000-0x00000000026B8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-14 04:53

Reported

2025-02-14 04:55

Platform

win10v2004-20250211-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\config1.exe"

Signatures

SilverRat

trojan silverrat

Silverrat family

silverrat

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets file to hidden

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\config1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\discord\$77discord.exe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\discord\$77discord.exe.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\discord\\$77discord.exe.exe\"" C:\Users\Admin\AppData\Local\Temp\config1.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\config1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\discord\$77discord.exe.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\discord\$77discord.exe.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3828 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\config1.exe C:\Windows\System32\attrib.exe
PID 3828 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\config1.exe C:\Windows\System32\attrib.exe
PID 3828 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\config1.exe C:\Windows\System32\attrib.exe
PID 3828 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\config1.exe C:\Windows\System32\attrib.exe
PID 3828 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\config1.exe C:\Windows\system32\cmd.exe
PID 3828 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\config1.exe C:\Windows\system32\cmd.exe
PID 312 wrote to memory of 552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 312 wrote to memory of 552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 312 wrote to memory of 1460 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\discord\$77discord.exe.exe
PID 312 wrote to memory of 1460 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\discord\$77discord.exe.exe
PID 1460 wrote to memory of 3900 N/A C:\Users\Admin\discord\$77discord.exe.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1460 wrote to memory of 3900 N/A C:\Users\Admin\discord\$77discord.exe.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1460 wrote to memory of 3056 N/A C:\Users\Admin\discord\$77discord.exe.exe C:\Windows\System32\schtasks.exe
PID 1460 wrote to memory of 3056 N/A C:\Users\Admin\discord\$77discord.exe.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\config1.exe

"C:\Users\Admin\AppData\Local\Temp\config1.exe"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\discord"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\discord\$77discord.exe.exe"

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjQwQzkyNDEtRjM0Ny00M0E0LTgwMTQtM0MzOUQzMTgyNjkyfSIgdXNlcmlkPSJ7MjQ1MTg4NTgtMDBDQS00RjNDLUJCNzItNzEwNjZDNDREOTgyfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MzIxNjQyNEMtRjUxQi00RjM4LUFEQzUtQTFERTUzRDc1QzE4fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMyMzYiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDI1MTE0ODAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTAwNTAxMDM0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFF9D.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\discord\$77discord.exe.exe

"C:\Users\Admin\discord\$77discord.exe.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /sc daily /tn "discord.exe_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 2.18.66.74:443 www.bing.com tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
IE 4.245.161.190:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
IT 91.80.49.20:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 AK505-50624.portmap.host udp
US 8.8.8.8:53 AK505-50624.portmap.host udp
US 8.8.8.8:53 AK505-50624.portmap.host udp
US 8.8.8.8:53 AK505-50624.portmap.host udp
US 8.8.8.8:53 AK505-50624.portmap.host udp
US 8.8.8.8:53 AK505-50624.portmap.host udp
US 8.8.8.8:53 AK505-50624.portmap.host udp
US 8.8.8.8:53 AK505-50624.portmap.host udp
US 8.8.8.8:53 AK505-50624.portmap.host udp
US 8.8.8.8:53 AK505-50624.portmap.host udp
US 8.8.8.8:53 AK505-50624.portmap.host udp
US 8.8.8.8:53 AK505-50624.portmap.host udp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
GB 104.91.71.142:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 AK505-50624.portmap.host udp

Files

memory/3828-0-0x00007FF9C8373000-0x00007FF9C8375000-memory.dmp

memory/3828-1-0x00000000008F0000-0x00000000008FE000-memory.dmp

memory/3828-2-0x00007FF9C8370000-0x00007FF9C8E31000-memory.dmp

memory/3828-3-0x00007FF9C8373000-0x00007FF9C8375000-memory.dmp

memory/3828-4-0x00007FF9C8370000-0x00007FF9C8E31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpFF9D.tmp.bat

MD5 a219312ed9971ff04d6f196131efca8e
SHA1 285df7261ef004fb754f24a5d8c956fe12fb71ad
SHA256 213600483981cd19826e19ca50abb5002159e8408169bcf1294f4fad92b9f5b0
SHA512 c5f69d58215c799d9d33b8677adac3d6fb31b8018ae3c8784b89cf9ee8b774a42d1cc0e1920ed33c5f301099c632a5ecdfb0882506e6747caa6c5ef19a61641e

memory/3828-11-0x00007FF9C8370000-0x00007FF9C8E31000-memory.dmp

C:\Users\Admin\discord\$77discord.exe.exe

MD5 d06827fc48693f1b3392ce2459929593
SHA1 bf29a0d5f3263fc06fe2d239e59252fe581fdcba
SHA256 bc6832776e4b42a72e1820afa59f370ce3b50bfb1b28dfa5eaf51a27c05a2525
SHA512 37e668350f5ce2d30ce811df4aeb46ad0f073e4832f1492ece149858cdd0217b2407fba574dff0122e10d9dfbc53cc55dc91f0c2e977b7f0fa1bbac668cb5b4b

memory/3900-15-0x0000021074ED0000-0x0000021074EF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d3a5ue5h.zkh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

MD5 6ee9362b54a816b6f103f52b1d9b0dc5
SHA1 e9c75467b44be1391cae736b99f2ae069ac4b03f
SHA256 79f6c2447e395ae7705b15a04661f54e9963eba038537ab2dc8d663c71fdf6de
SHA512 de6a5bed12e3bfeed6af263c16ff96db73cd105623c5afe42ddcabc645d0678e9eada4b0b3aed2741531f981d57361c5d37ddab922ab8bae0520b08c3690299a