silverrat | 3fce4b5d26887b84f5f9081fb4b26fc8d8a28bd4e44cc5b7d4f94f1407d4a1e6

Analysis

max time kernel
557s
max time network
439s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2025, 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Silver Rat.7z
Size

10.5MB
MD5

94306cf12778c76e530c99a79ffbf155
SHA1

78ff9ae383665885d4c484c225e8db093f379273
SHA256

3fce4b5d26887b84f5f9081fb4b26fc8d8a28bd4e44cc5b7d4f94f1407d4a1e6
SHA512

91a4bec7c0cf86c935fa182f1bed613389fa6250675e31d262e2ae2e90b61b4d15f0045c9562615c43bba8e057a7bcd52d98ec06109f935d7e8dce02c0d3b734
SSDEEP

196608:cEqZUYyeiDxFBVwSfSjR4FaVrVqtnBET7erfudD46RqhzXog4pVFArDdUkL3tmmU:cEqN0DzjfiVBqV+ves4aAog4KdUkLFB6

Score

10^/10

silverrat agilenet discovery persistence trojan

Malware Config

Extracted

Family

silverrat

Version

1.0.0.0

127.0.0.1:4782

Mutex

lAxDBRhAFu

Attributes

certificate
MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==
decrypted_key
-|S.S.S|-
key
yy6zDjAUmbB09pKvo5Hhug==
key_x509
eHdEYm50bUx0RFJwWE9jRE5BSVR1WVFCVG1JZkxE
reconnect_delay
4
server_signature
UnNa5OPIXD9j9roc0PgVYVNySt2mq5ns0QQMEc/ueumRKU/mp4hu5hKktif5TElGwHfqA6XW45a7Q9TeUkyjkOIqgjeme1LRiO631djNSuLZJ1rG7k1aRqxu/U9CAw5KxXZe4CbCFhz6pHoMdQu5VU/R5hnBuGCVzfJNv2HxZ3DsHUU9txcYmimFPCxo8+AJ/5xSmpLoxKY50KoVB1zGqkE7OIk0bpZXdjmICLappUC1c09xECXZidaQ3GUu7IBWC0I5c+hQy1eswP6WkXuusBNaf7EZyK/zJI9nCi8CYpO6DgzvKelKE588lv8HldaG7zNggQ102dkzsYq4oT4zHCqeSdxf5DNxRrL+ZZLiYIyX6OMta/FqfKtC4zorzdU7XaF63lXzwbyoa2ZGyZfkvsgLRCMGHnKdOQVg9VQk3gZzkIpAi0XP2UflJydWmj7df+c0TVc0qQpavJcEaP7HrGhaW2WfH5L656fFMRVerA5mjCcmwcvS4h4wlp80rDDJFJ96YUBNIDPDmp2USQy31+VOWsHlPVdbMRDPkLm115L6JNCyLxd0SaTb14TkbC7F0XDgPUE/tQFSpLWeUgah8ij/tvc2NrcEcIqCWJQgUyuEWmASMK3EMQHGQRUTlgS1wq6cdqCdI3ukQ2zdCmXgHosg52DL9ibDCASRFmeJaoc=

Signatures

SilverRat
SilverRat is trojan written in C#.
trojan silverrat
Silverrat family
silverrat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	SilverClient.exe

Executes dropped EXE 2 IoCs

pid	Process
2556	SilverRat.exe
1512	SilverClient.exe

Loads dropped DLL 10 IoCs

pid	Process
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe

Obfuscated with Agile.Net obfuscator 4 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/2556-90-0x0000000007450000-0x000000000749E000-memory.dmp	agile_net
behavioral1/files/0x0008000000023cc8-89.dat	agile_net
behavioral1/files/0x0008000000023cbc-99.dat	agile_net
behavioral1/memory/2556-102-0x0000000009770000-0x00000000098BE000-memory.dmp	agile_net

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SilverRat.exe

Checks SCSI registry key(s) 3 TTPs 22 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SilverRat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SilverRat.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Microsoft\Internet Explorer\TypedURLs	SilverRat.exe
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Pablo - Spanish (Spain)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\r1036sr.lxa"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff	SilverRat.exe
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; message=NativeSupported; address=NativeSupported; media=NativeSupported; telephone=NativeSupported; currency=NativeSupported; url=NativeSupported; alphanumeric=NativeSupported"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_en-US.dat.prev"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Vous avez sélectionné %1 comme voix par défaut."	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\c1040.fe"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\AudioInput\\TokenEnums\\MMAudioIn\\"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Near"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\r1031sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\fr-FR\\sidubm.table"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\tn1041.bin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Ayumi"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSize = "48"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Male"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; currency=NativeSupported; net=NativeSupported; url=NativeSupported; address=NativeSupported; alphanumeric=NativeSupported; Name=NativeSupported; media=NativeSupported; message=NativeSupported; companyName=NativeSupported; computer=NativeSupported; math=NativeSupported; duration=NativeSupported"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	SilverRat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Has seleccionado %1 como voz predeterminada."	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Hortense"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - Spanish (Spain)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\it-IT\\VoiceActivation_it-IT.dat"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e8005398e082303024b98265d99428e115f260001002600efbe1100000033218ddb4c81db01096be1645881db01096be1645881db0114000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	SilverRat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{81218F10-A8AA-44C4-9436-33A42C3852E9}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Hedda - German (Germany)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR en-US Lts Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\M3082Laura"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	SilverRat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 + 0008 * 0009 1 000A 2 000B 3 000C 4 000D 5 000E a 000F ai 0010 an 0011 ang 0012 ao 0013 ba 0014 bai 0015 ban 0016 bang 0017 bao 0018 bei 0019 ben 001A beng 001B bi 001C bian 001D biao 001E bie 001F bin 0020 bing 0021 bo 0022 bu 0023 ca 0024 cai 0025 can 0026 cang 0027 cao 0028 ce 0029 cen 002A ceng 002B cha 002C chai 002D chan 002E chang 002F chao 0030 che 0031 chen 0032 cheng 0033 chi 0034 chong 0035 chou 0036 chu 0037 chuai 0038 chuan 0039 chuang 003A chui 003B chun 003C chuo 003D ci 003E cong 003F cou 0040 cu 0041 cuan 0042 cui 0043 cun 0044 cuo 0045 da 0046 dai 0047 dan 0048 dang 0049 dao 004A de 004B dei 004C den 004D deng 004E di 004F dia 0050 dian 0051 diao 0052 die 0053 ding 0054 diu 0055 dong 0056 dou 0057 du 0058 duan 0059 dui 005A dun 005B duo 005C e 005D ei 005E en 005F er 0060 fa 0061 fan 0062 fang 0063 fei 0064 fen 0065 feng 0066 fo 0067 fou 0068 fu 0069 ga 006A gai 006B gan 006C gang 006D gao 006E ge 006F gei 0070 gen 0071 geng 0072 gong 0073 gou 0074 gu 0075 gua 0076 guai 0077 guan 0078 guang 0079 gui 007A gun 007B guo 007C ha 007D hai 007E han 007F hang 0080 hao 0081 he 0082 hei 0083 hen 0084 heng 0085 hong 0086 hou 0087 hu 0088 hua 0089 huai 008A huan 008B huang 008C hui 008D hun 008E huo 008F ji 0090 jia 0091 jian 0092 jiang 0093 jiao 0094 jie 0095 jin 0096 jing 0097 jiong 0098 jiu 0099 ju 009A juan 009B jue 009C jun 009D ka 009E kai 009F kan 00A0 kang 00A1 kao 00A2 ke 00A3 kei 00A4 ken 00A5 keng 00A6 kong 00A7 kou 00A8 ku 00A9 kua 00AA kuai 00AB kuan 00AC kuang 00AD kui 00AE kun 00AF kuo 00B0 la 00B1 lai 00B2 lan 00B3 lang 00B4 lao 00B5 le 00B6 lei 00B7 leng 00B8 li 00B9 lia 00BA lian 00BB liang 00BC liao 00BD lie 00BE lin 00BF ling 00C0 liu 00C1 lo 00C2 long 00C3 lou 00C4 lu 00C5 luan 00C6 lue 00C7 lun 00C8 luo 00C9 lv 00CA ma 00CB mai 00CC man 00CD mang 00CE mao 00CF me 00D0 mei 00D1 men 00D2 meng 00D3 mi 00D4 mian 00D5 miao 00D6 mie 00D7 min 00D8 ming 00D9 miu 00DA mo 00DB mou 00DC mu 00DD na 00DE nai 00DF nan 00E0 nang 00E1 nao 00E2 ne 00E3 nei 00E4 nen 00E5 neng 00E6 ni 00E7 nian 00E8 niang 00E9 niao 00EA nie 00EB nin 00EC ning 00ED niu 00EE nong 00EF nou 00F0 nu 00F1 nuan 00F2 nue 00F3 nuo 00F4 nv 00F5 o 00F6 ou 00F7 pa 00F8 pai 00F9 pan 00FA pang 00FB pao 00FC pei 00FD pen 00FE peng 00FF pi 0100 pian 0101 piao 0102 pie 0103 pin 0104 ping 0105 po 0106 pou 0107 pu 0108 qi 0109 qia 010A qian 010B qiang 010C qiao 010D qie 010E qin 010F qing 0110 qiong 0111 qiu 0112 qu 0113 quan 0114 que 0115 qun 0116 ran 0117 rang 0118 rao 0119 re 011A ren 011B reng 011C ri 011D rong 011E rou 011F ru 0120 ruan 0121 rui 0122 run 0123 ruo 0124 sa 0125 sai 0126 san 0127 sang 0128 sao 0129 se 012A sen 012B seng 012C sha 012D shai 012E shan 012F shang 0130 shao 0131 she 0132 shei 0133 shen 0134 sheng 0135 shi 0136 shou 0137 shu 0138 shua 0139 shuai 013A shuan 013B shuang 013C shui 013D shun 013E shuo 013F si 0140 song 0141 sou 0142 su 0143 suan 0144 sui 0145 sun 0146 suo 0147 ta 0148 tai 0149 tan 014A tang 014B tao 014C te 014D tei 014E teng 014F ti 0150 tian 0151 tiao 0152 tie 0153 ting 0154 tong 0155 tou 0156 tu 0157 tuan 0158 tui 0159 tun 015A tuo 015B wa 015C wai 015D wan 015E wang 015F wei 0160 wen 0161 weng 0162 wo 0163 wu 0164 xi 0165 xia 0166 xian 0167 xiang 0168 xiao 0169 xie 016A xin 016B xing 016C xiong 016D xiu 016E xu 016F xuan 0170 xue 0171 xun 0172 ya 0173 yan 0174 yang 0175 yao 0176 ye 0177 yi 0178 yin 0179 ying 017A yo 017B yong 017C you 017D yu 017E yuan 017F yue 0180 yun 0181 za 0182 zai 0183 zan 0184 zang 0185 zao 0186 ze 0187 zei 0188 zen 0189 zeng 018A zha 018B zhai 018C zhan 018D zhang 018E zhao 018F zhe 0190 zhei 0191 zhen 0192 zheng 0193 zhi 0194 zhong 0195 zhou 0196 zhu 0197 zhua 0198 zhuai 0199 zhuan 019A zhuang 019B zhui 019C zhun 019D zhuo 019E zi 019F zong 01A0 zou 01A1 zu 01A2 zuan 01A3 zui 01A4 zun 01A5 zuo 01A6"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\M3082Helena"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\es-ES\\VoiceActivation_HW_es-ES.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-1036-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-1041-110-WINMO-DNN"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\c1031.fe"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Adult"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "8031"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewMode = "2"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\MSTTSLocenUS.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033David"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\sidubm.table"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1036"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{A79020BC-1F7E-4D20-AC2A-51D73012DDD5}"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "German Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "411"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR es-ES Lts Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{57523D96-B7F6-4D2C-8AFC-BCC5F5392E94}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Ayumi - Japanese (Japan)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Haruka"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - Japanese (Japan)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "en-US"	SearchApp.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1512	SilverClient.exe
1236	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe
2556	SilverRat.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
4360	7zFM.exe
1512	SilverClient.exe
2556	SilverRat.exe
1236	explorer.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeRestorePrivilege	4360	7zFM.exe
Token: 35	4360	7zFM.exe
Token: SeSecurityPrivilege	4360	7zFM.exe
Token: SeDebugPrivilege	2556	SilverRat.exe
Token: SeDebugPrivilege	1512	SilverClient.exe
Token: SeShutdownPrivilege	1236	explorer.exe
Token: SeCreatePagefilePrivilege	1236	explorer.exe
Token: SeShutdownPrivilege	1236	explorer.exe
Token: SeCreatePagefilePrivilege	1236	explorer.exe
Token: SeShutdownPrivilege	1236	explorer.exe
Token: SeCreatePagefilePrivilege	1236	explorer.exe
Token: SeShutdownPrivilege	1236	explorer.exe
Token: SeCreatePagefilePrivilege	1236	explorer.exe
Token: SeShutdownPrivilege	1236	explorer.exe
Token: SeCreatePagefilePrivilege	1236	explorer.exe
Token: SeShutdownPrivilege	1236	explorer.exe
Token: SeCreatePagefilePrivilege	1236	explorer.exe
Token: SeShutdownPrivilege	1236	explorer.exe
Token: SeCreatePagefilePrivilege	1236	explorer.exe
Token: SeShutdownPrivilege	1236	explorer.exe
Token: SeCreatePagefilePrivilege	1236	explorer.exe
Token: SeShutdownPrivilege	1236	explorer.exe
Token: SeCreatePagefilePrivilege	1236	explorer.exe
Token: SeShutdownPrivilege	1236	explorer.exe
Token: SeCreatePagefilePrivilege	1236	explorer.exe
Token: SeShutdownPrivilege	1236	explorer.exe
Token: SeCreatePagefilePrivilege	1236	explorer.exe
Token: SeShutdownPrivilege	1236	explorer.exe
Token: SeCreatePagefilePrivilege	1236	explorer.exe
Token: SeShutdownPrivilege	1236	explorer.exe
Token: SeCreatePagefilePrivilege	1236	explorer.exe
Token: SeShutdownPrivilege	1236	explorer.exe
Token: SeCreatePagefilePrivilege	1236	explorer.exe
Token: SeShutdownPrivilege	1236	explorer.exe
Token: SeCreatePagefilePrivilege	1236	explorer.exe
Token: SeShutdownPrivilege	1236	explorer.exe
Token: SeCreatePagefilePrivilege	1236	explorer.exe
Token: SeShutdownPrivilege	1236	explorer.exe
Token: SeCreatePagefilePrivilege	1236	explorer.exe
Token: SeShutdownPrivilege	1236	explorer.exe
Token: SeCreatePagefilePrivilege	1236	explorer.exe
Token: SeShutdownPrivilege	1236	explorer.exe
Token: SeCreatePagefilePrivilege	1236	explorer.exe
Token: SeShutdownPrivilege	1236	explorer.exe
Token: SeCreatePagefilePrivilege	1236	explorer.exe
Token: SeShutdownPrivilege	1236	explorer.exe
Token: SeCreatePagefilePrivilege	1236	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4360	7zFM.exe
4360	7zFM.exe
2556	SilverRat.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe
1512	SilverClient.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe
1236	explorer.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2556	SilverRat.exe
1512	SilverClient.exe
1512	SilverClient.exe
3632	StartMenuExperienceHost.exe
628	SearchApp.exe
1236	explorer.exe
1236	explorer.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 4668	2556	SilverRat.exe	115
PID 2556 wrote to memory of 4668	2556	SilverRat.exe	115
PID 2556 wrote to memory of 4668	2556	SilverRat.exe	115
PID 4668 wrote to memory of 640	4668	csc.exe	117
PID 4668 wrote to memory of 640	4668	csc.exe	117
PID 4668 wrote to memory of 640	4668	csc.exe	117
PID 1512 wrote to memory of 2648	1512	SilverClient.exe	122
PID 1512 wrote to memory of 2648	1512	SilverClient.exe	122
PID 1512 wrote to memory of 1236	1512	SilverClient.exe	125
PID 1512 wrote to memory of 1236	1512	SilverClient.exe	125
PID 1512 wrote to memory of 452	1512	SilverClient.exe	131
PID 1512 wrote to memory of 452	1512	SilverClient.exe	131
PID 1512 wrote to memory of 876	1512	SilverClient.exe	138
PID 1512 wrote to memory of 876	1512	SilverClient.exe	138
PID 1512 wrote to memory of 3040	1512	SilverClient.exe	140
PID 1512 wrote to memory of 3040	1512	SilverClient.exe	140
PID 1512 wrote to memory of 2484	1512	SilverClient.exe	147
PID 1512 wrote to memory of 2484	1512	SilverClient.exe	147
PID 1512 wrote to memory of 4468	1512	SilverClient.exe	149
PID 1512 wrote to memory of 4468	1512	SilverClient.exe	149
PID 1512 wrote to memory of 4792	1512	SilverClient.exe	151
PID 1512 wrote to memory of 4792	1512	SilverClient.exe	151
PID 1512 wrote to memory of 1240	1512	SilverClient.exe	153

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Silver Rat.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4360

C:\Users\Admin\Desktop\SilverRat.exe
"C:\Users\Admin\Desktop\SilverRat.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ils51oac\ils51oac.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:AMD64 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E3A.tmp" "c:\Users\Admin\Desktop\CSC53E110A69FB148B88F14F01659C020E8.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:640

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1516

C:\Users\Admin\Desktop\SilverClient.exe
"C:\Users\Admin\Desktop\SilverClient.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\system32\Cmd.exe
  C:\Windows\system32\Cmd.exe
  2⤵
  PID:2648
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1236
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Modifies registry class
  PID:452
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks.exe" /query /TN SilverClient.exe
  2⤵
  PID:876
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks.exe" /query /TN SilverClient.exe
  2⤵
  PID:3040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:4468
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:1240
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:3648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:4664
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:1820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:404
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:3816
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:4552
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:3980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:2992
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:4852
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:2988
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:5140
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:5316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:5516
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:5760
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:5968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:5188
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:1044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:5956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:1808
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:6372
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:6608
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:6840
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:7088
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:6712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:5796
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7024

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3632

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:628

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\USERS\ADMIN\DESKTOP\RESTSHARP.DLL

Filesize
166KB

MD5
09806e18f9f8e3f2351827be22e634e0

SHA1
54ec870ffb8ce10b3c8b05bbc7fb7ea45142a430

SHA256
0e7a0f3910741e81f9b4660501b30aab5eee71cfa4fa9dcc9b32acb64c865428

SHA512
45b5743bd3f50f51b6953bbfca9f8c5d1aca75aaed5cee0d6ef401034a05a09f27b928f539101801450b428ca7eac9ecc3ad0b41f2bc19258da52fbc7dc8ed09

Download Submit
C:\USERS\ADMIN\DESKTOP\SYSTEM.BUFFERS.DLL

Filesize
20KB

MD5
ecdfe8ede869d2ccc6bf99981ea96400

SHA1
2f410a0396bc148ed533ad49b6415fb58dd4d641

SHA256
accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb

SHA512
5fc7fee5c25cb2eee19737068968e00a00961c257271b420f594e5a0da0559502d04ee6ba2d8d2aad77f3769622f6743a5ee8dae23f8f993f33fb09ed8db2741

Download Submit
C:\USERS\ADMIN\DESKTOP\SYSTEM.COLLECTIONS.IMMUTABLE.DLL

Filesize
175KB

MD5
8f55c22412f7d448d6e7b83102665368

SHA1
88df86ee0b137992af15a35825804274fa252e30

SHA256
67730917b4e856e37a9d78245527584087fac6b20a7377677b2f444cd15db918

SHA512
058431aa2280511b00a72ea55ded9bdaef55420f5bce10c9352d4f92736a11884d1e70706016b988cca560358b3b43ce1bad5c9bd726f11d8ad66e3c91f98ccb

Download Submit
C:\USERS\ADMIN\DESKTOP\SYSTEM.MEMORY.DLL

Filesize
138KB

MD5
f09441a1ee47fb3e6571a3a448e05baf

SHA1
3c5c5df5f8f8db3f0a35c5ed8d357313a54e3cde

SHA256
bf3fb84664f4097f1a8a9bc71a51dcf8cf1a905d4080a4d290da1730866e856f

SHA512
0199ae0633bccfeaefbb5aed20832a4379c7ad73461d41a9da3d6dc044093cc319670e67c4efbf830308cbd9a48fb40d4a6c7e472dcc42eb745c6ba813e8e7c6

Download Submit
C:\USERS\ADMIN\DESKTOP\SYSTEM.NUMERICS.VECTORS.DLL

Filesize
113KB

MD5
aaa2cbf14e06e9d3586d8a4ed455db33

SHA1
3d216458740ad5cb05bc5f7c3491cde44a1e5df0

SHA256
1d3ef8698281e7cf7371d1554afef5872b39f96c26da772210a33da041ba1183

SHA512
0b14a039ca67982794a2bb69974ef04a7fbee3686d7364f8f4db70ea6259d29640cbb83d5b544d92fa1d3676c7619cd580ff45671a2bb4753ed8b383597c6da8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
28KB

MD5
988337fdd0c9a95e9f51cb3d5e8deb11

SHA1
2497b009badb9c7c7f1b7b950f750b08d2575092

SHA256
ce2e8179dc6af0a15a702e90255203958ee4e1e2e1109dbff90a8284212e7da2

SHA512
288462b9b424105150338ed676b31e3943402ecfbde4346184be546d0acb0ca11ad107a2aff42ccb4433800f1bfecca8b012fdb63ebf7e9d096f07bf1fd4ba91

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133862820344112993.txt

Filesize
75KB

MD5
576af4bed755eeadcb3379a78af6b108

SHA1
3f22b1d22f9acb226d4324fcd403b68015ca6170

SHA256
5b1df387f17a984fbb8ed0b98e8dc46f23c2c43a19bf489b934b93baf8eae731

SHA512
f8b3557de027b12274b4db90e1ea36aa33185e7d48017c2d15a813c3b84393b9ec1f44d25c6d1134dd8e4a9d774aa46b2d0a8a43b1fe3b812a41e8aa0debba3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2E3A.tmp

Filesize
1KB

MD5
0495c734adddcacfab39822413f5a1aa

SHA1
b70ce74c0a804ee5f0f5741b12c29b457ac81112

SHA256
4febcdad262b560fd50cffa8fd22a1a57bc4b25fde99302f80de6be5fc0bea5a

SHA512
e6e08d937a86bd024ad4825fdd005dbc13d49602a65d148113c85c4841cd6338a54b0c1dbcf7c500b2937e8cd47bb9b688b7f573b9125ef8011e426dc8d77a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp16DE.tmp

Filesize
4KB

MD5
e1a48ec781542ab4f0d3a3368b2a1d05

SHA1
a35670f07e5320a1591a55d903b35dcdd1d224a1

SHA256
f41d8818774f3ec0bf936e564f50008b46f5e4060edaab3bd72ffa389fb9ef21

SHA512
d3e756d8b321d38962a7b36af617d152e9bfd499b31f1630a24ada435715ad81a29ab73e4ab4aa21bbc9029b4177a943303e7df922bf375c2583607cb6f6566a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kruibam0.oq5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
442f1cc61fc0d2842231c7fa6ed6c995

SHA1
97ea9afadd16b4c1f91b79dd7649cabf0a918391

SHA256
ec4a5f56f5d7586bcb50422524a22537cef6c0e8f15d4ebb2ee437984b14db83

SHA512
229925e7321ca50a10c0c16e450e883d2e168101038c6c36105ed136668b9cd4b3dfa89bfb29c0a720db94272a5a66ca384779a0e587b670a4252819163b0981

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
2cb71f38660a56562522cefae4bd9da5

SHA1
2695e46d69f0600580a8dce3d6bb8ad44d8291bb

SHA256
48db9342a658af51e7da000edd9c860444fee623a3d66073bd76b0c4a0638347

SHA512
40cd79f900fc9804fe5eace35518d275e66e7675f0c8d753b7955fb04e7a2affd9f46a4a1bcc6ae7b733b27b7dbce754e1ac263f87ac9a714a9f65856843db9c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
83bc201a308d792778591b9538b58a97

SHA1
abc58e6950f6bb17508df8b6fe3bf4aec18ce892

SHA256
4dff78488073e03fbf0ab5d57405533a7c851be7b4f891676a89d050ec150bd5

SHA512
7002a0ce93b7684c3a7371a73317506ceec98cd1d4cbfec9650181fdae3878cded11608a8e19bd3dc397589dfb6743aef576fdb50c6495c5d3187d814bca8b0c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
632717551e261b22f3deb957ba4c443a

SHA1
a178c37a1911cd029866058e7b47a3fb408d3f29

SHA256
e0898b9aeacf3a8a9de80f50018c0f13cfb73cf0d65ff3e8e235f2cf06b98e95

SHA512
f7ffb4238f1ccce19e1431d0e3bcc4bbe589408880f64366f3ace7dea341d26c5db26b0120c9ae39b6a2b7e378b576c92a2bda85d53d99d549d0b921b6c8094d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
e054bf8e739a34a140d7c1e417acfde0

SHA1
36baab59f4d9df12c89f6694734ead37b35e0e19

SHA256
11f2b1fdbc2c1f1f0f136e6f22b15c2043b3e63cf5b65de72aec4feae924fe4d

SHA512
0edcf44fc86ec668f2af6e098929240a69b0641d79ed664594df0d9f648e8abe0e9b42de948e08f7a72444ec360f87778643dc4475a92c050e653b11f9f54e04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
221ae045cb3fa4c48766dee4e2e67cad

SHA1
6d476438a490a4f3401e990b4310c70c1e631919

SHA256
bd9413583c84ad90364ffbcf099be378967a8ad34576dea1c808db026975cd1c

SHA512
f852110d62787f72ab95a51eb8d617bed5778a0ad2cfc941c300f9fa623da9071e031e8cbc29541c0969264277b71bea895bde2a427517e749cc13e71d7a4b58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
c9d72c5c5c2c644503fe8d7497a8f351

SHA1
a68084862fb170c543b95614efb719ab8c4f79e8

SHA256
90fd34aa3ad1d866a47a9bb46f6a12148fbf6a73dc926b1eae2ac816807b78f0

SHA512
ebb2b496c305d0a7fabf3985e1eb3eeea4302c97536fa4f7a6813538823ad8e40982a4e97e65d9d29b60b83f42589d52676c4d8f0fe258b4f3c466e08df57ab9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
43bb823d865b7e0aaadb80368530c337

SHA1
591bd29ec39840ba00d7c32d2801207ba44617ad

SHA256
b1f0af04e1b5a8ba005b68eab88f004db5a9fb22a4f266b99e40c93c37fbf550

SHA512
4e2b917de72794c54817407419ac9c3889467ba79ccee2bbe5182573f61eed7eae1f9f8bfb12a1aca1ac39695847d7794f707702c050f6a97e25830fa735fa18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
ec92698186874935b2b192a6d223593e

SHA1
0b5cffedb79c44fdd5c67292566c6faf79bcb7b6

SHA256
a8966af62e3e5fccfa73672c060608d32719e91ae817a87403dadb7341170f7d

SHA512
99df7bfc5559f26b7e7dea1120be37da5eaad4d130df90ae741da47258034955e66206e3d4d2923c3a84f8805f0d2cb187423cefdbc040d6962b170e3eeb609f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
68594ba23a243645458aab2752a6b457

SHA1
86affe3d8c9d269483e53e367c564a28c9a2200c

SHA256
0f8e04a4ce2e763e709e440646ea879946e35197f3471d7197b4252247ce55b5

SHA512
283d4a8b842c1ac67679ca2b9b3b7cac1d5a90bbe48273eeb05e08ced6efb974b4f40fb4a2264fc83370747024aaffa14362cfe3829dc63e9e867925fb2478c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
dff6abc759ab26466bf80df21f1a38c6

SHA1
1cebb02543d47d6c247066e876cf32176276d262

SHA256
5269dfd124b176efda6ad5e0e633c70c2bf006def8e9cc099e78f920beeb17ac

SHA512
1ee9e9c0ab6a2021b825cb0b8211ef361ab29f8b88ffe695b3e87c21b7269b162ec1dcef9638f3fb6c52b7d14467dfdc1a568f302ff672f1603039cf16f65a3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
5248834ba8f521afdef8b91600e12b51

SHA1
44a9f5008d136f5b74de3547f90eae212dda31c6

SHA256
f4e3a6c54693cfcaec9cd9ee2cba02089958ab78d6e8bf33b33178b1d2528001

SHA512
e1d63f95a32587f4512336d3cb090487323435db7c2e5e0d8991ca10f81f0f6cefff8794cf57c57daaba25dfbee113e191284e725b594efe1d98564f215a0ee2

Download Submit
C:\Users\Admin\Desktop\Bunifu.Licensing.dll

Filesize
1.3MB

MD5
c18a9e44e200c7315a1868caab894293

SHA1
18f65508762d2492f41b22e4e6e5ad19a2226baa

SHA256
661a5be944dc9fb2e0eba01c3c0584feb3ecca44877d77f54d0f409ce801af22

SHA512
9a5e08bb6ed4535ac92ca446b630b29587cb5a4d7d695234a5d93267d2ac13d702b3738ba0e20606f10020e9642e8e315e7ddc92f1c321b68daf8524a3f5f2d1

Download Submit
C:\Users\Admin\Desktop\Plugins\Camera.dll

Filesize
52KB

MD5
e9e0b5fc7b1ed6f01d08d981d1cd761f

SHA1
011ac2fa1b9df6a4cb6d88c14316216bb64526bb

SHA256
2c82773466f72756d8152e4d5dc24d2ec954bfe5a6e7cae587d2e1d316ef43d0

SHA512
df75359dd9c1bcc6bccb17522186d710ae16054a496c3f75fa171dfe8f09e314fb28a7b1111193e64e37639c6d37de5c77cd99d795f72ab5338459886da6b964

Download Submit
C:\Users\Admin\Desktop\Plugins\Chat.dll

Filesize
36KB

MD5
736292dd81ad93bff84c28ce5de02385

SHA1
40d46e915d049966f023e8d8c1e059d9b6c22567

SHA256
0c83898f29762a4e3650fc5f5a8a3c3114d06da8f6a3fb2fa8b990a36716d6bd

SHA512
c126f17b9ed91994d52e61c7ab75536962a2c0f03cf90cba06fa423dd732379e7ccdf4050dada73267864feee8b677bd5c16ead8a485e3d8bd3f4bcc462015ed

Download Submit
C:\Users\Admin\Desktop\Plugins\HApps.dll

Filesize
30KB

MD5
a7c3b329ab9f4e20ed40c78b2ac36864

SHA1
fcb594e1a2a7c27e0208d413411e1ca30fdf4279

SHA256
d922c1762640f37a503eb116627a732290ae38b52f9b33437ffee608f7853a28

SHA512
870085fabe2ae4768b6ea9d2e7f13dad752f4c26ec6d61debd0b76c683771823b07338e1323e26c0c8e17f9ecf7f5d7fcd4b7d0b148501ef9e278b8b680925f9

Download Submit
C:\Users\Admin\Desktop\Plugins\HBrowser.dll

Filesize
22KB

MD5
ce1d9f8c498cd8c5ee38fa94df4b4907

SHA1
d3b811137776e4b1dc937d294ce0eff9a12594ff

SHA256
55b5efe0a09cb5cb79308874e2e5d25c895f995754bbf960ce9a403207ce3abd

SHA512
58c9e62bc32376773a9bb1f266aab617ad2098f2d12b13fba1bfcefdf3edd1f44682c791567cc67035550b80b735ae460111145fd1b9d733325cda9dfbe61849

Download Submit
C:\Users\Admin\Desktop\Plugins\HRDP.dll

Filesize
16KB

MD5
b9c9ea357d04731bda8c8393ae5cd741

SHA1
8d462aafddd5f37513226523dd4b7a354be2f492

SHA256
a475f59f6a1b6b1fb4c6e78f1fbe7df2d38c4f743488ba7da128a5771bf6de86

SHA512
1876e27c5d224d4bac403f99bfff21cbdd35e3d4d91257ff7c2482552e9925d85c69eb092e590ca48251e8fbf19372c131d191caa0e2b8977a2ced36173515e2

Download Submit
C:\Users\Admin\Desktop\Plugins\HVNC.dll

Filesize
31KB

MD5
3d07031e76978680240e80cc54451ad4

SHA1
255f32852fa97990ce16c8bdae766c79c7bcfe56

SHA256
44cb17f3b048ba2c7653409b0dec7c94eb86d2cf0322ac79ce6764d5b8df1549

SHA512
3595793d4b8e197a60d9c28060415489592da44e20e8f999d91e4c2f164e43ee00aaf94216a0daf4ade1cab8577dd34bb8e02c7ba12b3757b2c82c4e4bb91c7a

Download Submit
C:\Users\Admin\Desktop\Plugins\Keylogger.dll

Filesize
13KB

MD5
8e2d761ccea68168d0b991b475155678

SHA1
2872d722bdaf496d520e643d114e712199ef00f1

SHA256
c3fd1d11641109c9033fa20af16c6b737008c137fd8a926bf0b4c6630d8ab9ac

SHA512
e179a1da9f2d00cd74352dc81305462dc928a6e2acace665d42e8a2d0999bc6c8669e5e290ebd17064c6166604f87de2c7e7f31b42b4ea82b23738792c68f68d

Download Submit
C:\Users\Admin\Desktop\Plugins\Manager.dll

Filesize
126KB

MD5
b17ddbfdf27aaedb6e26ed70783a6ae7

SHA1
08590ed55d9adc47c53a9dcf7dfafc60b877aa13

SHA256
da8c5ffb5d268e9aa5783bcb064502df8f78cba724a0f96793795fe97e62a6e1

SHA512
0079131280257413f43a01a0de2b3cf393745d2864ab521619888b3b25f7f0ec1f32f9d6f682250b73c92c1483d841f7ca3f8bf34e785e3fc93afae6d086693e

Download Submit
C:\Users\Admin\Desktop\Plugins\Options.dll

Filesize
45KB

MD5
ff88d61dc7adc644d79b0f898059a7b1

SHA1
151557a014d6b177fd1ae1496f0719184df08c86

SHA256
3fd7b67e56b40caf53aa9b2df102967f7e2aab0bb4bf90ea769ea725c0498657

SHA512
ae06793d10c6c76a994db8cf3fe97a859df2a1e0dd2bc56fac042bba8a93a56e52b4edf28a30113e4cd547157bde07a77383f0295822d8e6ddea51dfcdc0b1f0

Download Submit
C:\Users\Admin\Desktop\Plugins\OptionsForm.dll

Filesize
28KB

MD5
fdaa271259f3b58f88bcfce1da990af4

SHA1
ae2bb4c6725134e9f53f7d63d8920d5c7c4e54de

SHA256
b2a0dd7d7b92ec5b99e3b18fb0235b3b039373edf9a4ea51b36447ac7d0ad464

SHA512
469507660f15a9b72cf160da089b2b4e44625010ba15cdee3d6e08f467e1d724aa0d177adbd7af926a55b0dddd016d565804ab1b2fb071ee37b48487d553b8d9

Download Submit
C:\Users\Admin\Desktop\Plugins\Passwords.dll

Filesize
63KB

MD5
67df2a509df555bbbb04264d9177c4c9

SHA1
4afbe8e70698cc6cc7cb2091c1d7dd8b343e49b6

SHA256
31805c53dcd4df47675401e2f286026492a4d2c9ffb13bf5293e8955d5ec96d1

SHA512
0b10b268a5590aa4649decda9190df03673f55b09bf66660cab43f76e61cd9afd4e3ff285b6623377f883930f3221933c7abde1b795642ccd909ccb17154712e

Download Submit
C:\Users\Admin\Desktop\Plugins\RAPP.dll

Filesize
18KB

MD5
3749325c46c36e83ea28ddd92aa60c9f

SHA1
a792b9eb154fcbd376660bca5bb1cac11e29cd17

SHA256
2e717bd5321a2ac65b38cc39238dafa7e34b7446031a6a6200aca86199a59ade

SHA512
876013df8c6736ac3bed7e8efb03cc783abe33936c2f8b7908b554b5584c42a8e81f953f7c4066576d8ef931026eb4af84618179cc0001519c493f6651ccd4be

Download Submit
C:\Users\Admin\Desktop\Plugins\RDP.dll

Filesize
17KB

MD5
2bd24da470e3968fec572600d4637f37

SHA1
752a3ee7e92e6141c26338b327b5a060c0583030

SHA256
c5d5123886fc5e948693a2c1cf14b6b1262f2b98b2ccb6ee3b06bab0c32e6c00

SHA512
60df75c2362a991ce108ed2b52d47316b56b527eef67700b89a6aa8dc52cb0f223991fe6b9819d4c047c5445051078d55965209bbf8f7c1421fc0dbc12fbc393

Download Submit
C:\Users\Admin\Desktop\Plugins\Ransom.dll

Filesize
14KB

MD5
47ced016511c0edca8af7e371ed50136

SHA1
83306913534c4a2ff234ce1dc399ac017978a476

SHA256
d47f10f19ff148464747bf7e38f7fb44c1d99569d4a9b31eee731abacd540a2f

SHA512
459333e1c3437b13db1988f901c97f16ab6e99269b3459001e898f661322b4ad034046b29561c0a6b366ff3d2c69a27334d49623744e3ee4f3341789b4bab37a

Download Submit
C:\Users\Admin\Desktop\Profiles\Builder.xml

Filesize
1KB

MD5
3fcd4ac4720febae7ed0b81913daaf1c

SHA1
7d2ec4090023cc93a453c65782c78fe9bcf5afbd

SHA256
b4b7d0f7878a60e5d641443a7d4720e178568e6febbb38a243d3b9fb8a30842b

SHA512
c6a5c5c5d17d2e56fd2fde8705062a8916673ec5557ef9f30c9f62c67877c72f5b8e4528a3a8a8ec24f74e5c52ed385442483606b13972bcc645257a5826f2ca

Download Submit
C:\Users\Admin\Desktop\Profiles\Builder.xml

Filesize
1KB

MD5
fa38a30958bd71c13e0069086735fd0b

SHA1
a1b999d7f811e03298926fdb39772a6f4c44aed0

SHA256
30e3d80a064d8dafed71d65776ad60f7fcc00908c01f443ad0afca7ad84fe55a

SHA512
46c2571d2c8ecd0e30faa107ad0b1136912a0a4feeebf98cd065cf31579827a3b7bf8b3bef69286392642a56a9910bf3128c91147fa1b08d87b4ba2fcf18be75

Download Submit
C:\Users\Admin\Desktop\Profiles\Builder.xml

Filesize
1KB

MD5
de254134f502cc8f53d235f870f2f46b

SHA1
c46382297e08e69f9387c48322a000f0a01e7942

SHA256
93a531ffaabfcbf12226bb8e3e010975a846a6274e7690047c6e965efea80515

SHA512
754c2e33ff46cb0331d22387325e5312623060e9664ab1146566f8df50667b765d35d5fc15fb63461b8778b9be84bc08f982e39885ac3ef34ee7b2841e17f3f7

Download Submit
C:\Users\Admin\Desktop\Profiles\Builder.xml

Filesize
1KB

MD5
0a3cfd79ec2120667b59a04cf568dce9

SHA1
64607d3c6ebd78f1e37f66cd55b6ffd2e25e2a1e

SHA256
04b13e40f8268c3e6892518c7c4cfdf679a204cdd32d2dddcb7df5b7828d6b5b

SHA512
94fba91a0e51a8b56d83894f9bf1080b0d4b789cbb21ff91a2b806faac7a90044118193fddbc4b31be7367cb4142bec94e4fe3d3b03b10a5980573e30789f419

Download Submit
C:\Users\Admin\Desktop\Profiles\SocketPort.xml

Filesize
57B

MD5
5f807862258a390b2e2f75abb6d2c865

SHA1
22abc144aa034c6490cbf143a8f1cdd42bd06d1b

SHA256
7b87c31f6d1163fc236651f5e1f3187cfa0c79d4a85d20c1c05f1dc3056c4823

SHA512
b831e4b2eeec23e39544961cef6619c8d57c50b53dc6bad8846682df6f5252041f50ce33cbe182488288d6d5e2e3e5194055ee4143ceb09f9601ed49d39dba39

Download Submit
C:\Users\Admin\Desktop\SilverClient.exe

Filesize
37KB

MD5
9612f8b7e6918be94a084f3eb304243f

SHA1
0d1444bdb26b63e6d6f72c6fea8cd8d4ed8cdd16

SHA256
1e55e0c4a81e619b487e9152db312f09cd960215051b3b66cbef4861437e5590

SHA512
5b5e7222fb6e59c1e61f6ec14883ab35e5a206ab640d108926836444f1e9d9e84ce8beaf1cceaa490459bb5210a784f06d30175847cba5f88505a5a6cde84924

Download Submit
C:\Users\Admin\Desktop\SilverRat.exe

Filesize
25.2MB

MD5
d6527f7d5f5152c3f5fff6786e5c1606

SHA1
e8da82b4a3d2b6bee04236162e5e46e636310ec6

SHA256
79a4605d24d32f992d8e144202e980bb6b52bf8c9925b1498a1da59e50ac51f9

SHA512
2b4eb9e66028d263c52b3da42fa3df256cf49cd7a7ebdf7c75da6a2dedfd2c22cb5f2071345b7016cd742539c74a801cad70c612330be79802fa19f860ea2d5f

Download Submit
C:\Users\Admin\Desktop\SilverRat.exe.config

Filesize
526B

MD5
d6f1152d647b57f64494c3e1d32ede94

SHA1
a35bd77be82c79a034660df07270467ee109f5ac

SHA256
a47f3f83cdb9816f03632833dc361ac5e7a4c5c923af1fdebfa16303f9d68a72

SHA512
699b5ad93d3497348f8aad8e15d54ddd789bbac43f11a7fb629f19cda3749bee0ae06dc83f4e6246df631488169fda5d15c48585581d3a96d2523b8b45e639bd

Download Submit
C:\Users\Admin\Desktop\bunifu.ui.winforms.1.5.3.dll

Filesize
297KB

MD5
c1d51a0e747c9d6156410cb3c5b97a60

SHA1
86312cba2eb3495cc6bec66d54d4ab88596275d8

SHA256
6937052b86bc251be510b110e08fc5089d3bd687ce2333a85ea6d5c2c09b437a

SHA512
a8d7b2e5555c01076e8dd744d21d8cd901aaffad052af0e8c22269e8c2f765019422ed245368a64d64157652a0e4fcab1a889086fde4e139b4ccf5f7bad08222

Download Submit
C:\Users\Admin\Desktop\bunifu.ui.winforms.dll

Filesize
1.3MB

MD5
686833fccd95b4f5c8d7695a2d45955d

SHA1
882f60ea47f536c1f01da0f5767dfe5d569fc011

SHA256
578cbcfb7a01234907fb6314918efd23a502882c79d0ee3c2e7d4ae0cf63ebc2

SHA512
8bb3a8741b73ad7c280de31905dbfc449c2d6f538b8feca232201c7079f917c4291936211632bcdf17c95d6cf5d9b97df2cdd21c57af6cbff486ea7691ff3bc1

Download Submit
C:\Users\Admin\Desktop\cGeoIp.dll

Filesize
2.3MB

MD5
6d6e172e7965d1250a4a6f8a0513aa9f

SHA1
b0fd4f64e837f48682874251c93258ee2cbcad2b

SHA256
d1ddd15e9c727a5ecf78d3918c17aee0512f5b181ad44952686beb89146e6bd0

SHA512
35daa38ad009599145aa241102bcd1f69b4caa55ebc5bb11df0a06567056c0ec5fcd02a33576c54c670755a6384e0229fd2f96622f12304dec58f79e1e834155

Download Submit
C:\Users\Admin\Desktop\guna.ui2.dll

Filesize
1.4MB

MD5
acec68d05e0b9b6c34a24da530dc07b2

SHA1
015eb32aad6f5309296c3a88f0c5ab1ba451d41e

SHA256
bf72939922afa2cd17071f5170b4a82d05bceb1fc33ce29cdfbc68dbb97f0277

SHA512
d68d3ac62319178d3bc27a0f1e1762fc814a4da65156db90ae17284a99e5d9909e9e6348a4ff9ef0b92a46ba2033b838b75313307b46ab72dc0aab9641e4f700

Download Submit
C:\Users\Admin\Desktop\stub.cs

Filesize
84KB

MD5
255787b7316051d866d8a8a384102c9a

SHA1
5a9fe0570579b7fe3916ec51abaa6606cf44dd18

SHA256
1ffef5d31a2d6dbc01177fcf7835c9d9eeb4334bd39b20ec76eb2be1ba429f3f

SHA512
3016709d0ca83b58abadf1db647ff313105fa03e738f016cbb6364fa258c1824bfb692117ce325b1189a73242208fbcb58825c0abc022df06b771ed0937594db

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ils51oac\ils51oac.0.cs

Filesize
87KB

MD5
02096cf9272b15d6f81ccc44a66f04ec

SHA1
2a1e78adb00b0ca454ebb2ba98c355ee39842b55

SHA256
4a3e021333104823fad1c81f111afd23d0dcb6c2b3c8f74302dad694f7fe3f2a

SHA512
1e768a3bc15f5cf8608dbf1dc05bbe2f8fad42c8ef3e831a425395fa2a931d97f8eab54d359d31390c48990f4cc23928d0ebdee2abb8714c2c0fc3319955241c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ils51oac\ils51oac.cmdline

Filesize
265B

MD5
cd8fa1a33733a196bce7696e0e346a82

SHA1
231e1e2f2463360ed31a65ea0829a0b85eabf9f1

SHA256
bed1e0e276ebd18dfa152b4c3963d13afa62bbe936c5c3ea5f9fb8eb327c7d22

SHA512
80bea436ee410924111d46986a0671ecdf3687744b2dbabef4003a208bfb7936b6ee56524d7b81d370bfe8477133cf2d417bb9c4cc7a7444c69655e2b9d1cf47

Download Submit
\??\c:\Users\Admin\Desktop\CSC53E110A69FB148B88F14F01659C020E8.TMP

Filesize
1KB

MD5
8c0a1f2b904af16969873aa36f4fd60c

SHA1
a2509390671f63924f9124a81b515cff807cab99

SHA256
d8fc284ae033b8f26c85fa6272ea0a6ed42bab7d363f1dbcb1f60fafe7c47b9e

SHA512
9b06fc51cd3bd8c0d10d3a66812487e962893fcd43e2233b7f54865c0dc32d0ad065fb7b39421e82901f234f71845ebe87a44a105f0f87f7da2ea855edff0381

Download Submit
memory/628-378-0x0000017D95B00000-0x0000017D95C00000-memory.dmp

Filesize
1024KB

Download
memory/628-396-0x00000185977B0000-0x00000185977D0000-memory.dmp

Filesize
128KB

Download
memory/628-407-0x0000018597EC0000-0x0000018597EE0000-memory.dmp

Filesize
128KB

Download
memory/628-383-0x0000018597B00000-0x0000018597B20000-memory.dmp

Filesize
128KB

Download
memory/1236-384-0x00000000035E0000-0x00000000035E1000-memory.dmp

Filesize
4KB

Download
memory/1240-690-0x00000192C9F40000-0x00000192C9FB6000-memory.dmp

Filesize
472KB

Download
memory/1512-282-0x00000000012F0000-0x00000000012FE000-memory.dmp

Filesize
56KB

Download
memory/1512-591-0x000000001C6F0000-0x000000001C710000-memory.dmp

Filesize
128KB

Download
memory/1512-278-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/1512-263-0x0000000000590000-0x000000000059E000-memory.dmp

Filesize
56KB

Download
memory/1512-369-0x00000000012C0000-0x00000000012D8000-memory.dmp

Filesize
96KB

Download
memory/1512-590-0x00000000012E0000-0x00000000012EE000-memory.dmp

Filesize
56KB

Download
memory/1512-589-0x00000000010E0000-0x00000000010F6000-memory.dmp

Filesize
88KB

Download
memory/1512-368-0x00000000012A0000-0x00000000012B8000-memory.dmp

Filesize
96KB

Download
memory/1512-367-0x0000000000F40000-0x0000000000F50000-memory.dmp

Filesize
64KB

Download
memory/1512-366-0x0000000000F20000-0x0000000000F42000-memory.dmp

Filesize
136KB

Download
memory/1512-365-0x000000001E840000-0x000000001E8EA000-memory.dmp

Filesize
680KB

Download
memory/1512-364-0x0000000001450000-0x0000000001470000-memory.dmp

Filesize
128KB

Download
memory/1512-577-0x00000000010C0000-0x00000000010D6000-memory.dmp

Filesize
88KB

Download
memory/2556-105-0x000000007511E000-0x000000007511F000-memory.dmp

Filesize
4KB

Download
memory/2556-86-0x0000000007E30000-0x0000000007F80000-memory.dmp

Filesize
1.3MB

Download
memory/2556-97-0x00000000081E0000-0x0000000008212000-memory.dmp

Filesize
200KB

Download
memory/2556-98-0x0000000009260000-0x00000000092FC000-memory.dmp

Filesize
624KB

Download
memory/2556-102-0x0000000009770000-0x00000000098BE000-memory.dmp

Filesize
1.3MB

Download
memory/2556-94-0x0000000008230000-0x0000000008482000-memory.dmp

Filesize
2.3MB

Download
memory/2556-103-0x0000000075110000-0x00000000758C0000-memory.dmp

Filesize
7.7MB

Download
memory/2556-126-0x0000000075110000-0x00000000758C0000-memory.dmp

Filesize
7.7MB

Download
memory/2556-104-0x0000000075110000-0x00000000758C0000-memory.dmp

Filesize
7.7MB

Download
memory/2556-90-0x0000000007450000-0x000000000749E000-memory.dmp

Filesize
312KB

Download
memory/2556-96-0x0000000008190000-0x000000000819A000-memory.dmp

Filesize
40KB

Download
memory/2556-75-0x000000007511E000-0x000000007511F000-memory.dmp

Filesize
4KB

Download
memory/2556-95-0x0000000075110000-0x00000000758C0000-memory.dmp

Filesize
7.7MB

Download
memory/2556-124-0x0000000075110000-0x00000000758C0000-memory.dmp

Filesize
7.7MB

Download
memory/2556-125-0x0000000075110000-0x00000000758C0000-memory.dmp

Filesize
7.7MB

Download
memory/2556-82-0x0000000007A60000-0x0000000007BD6000-memory.dmp

Filesize
1.5MB

Download
memory/2556-78-0x0000000006FA0000-0x0000000007032000-memory.dmp

Filesize
584KB

Download
memory/2556-77-0x00000000074B0000-0x0000000007A54000-memory.dmp

Filesize
5.6MB

Download
memory/2556-76-0x0000000000BF0000-0x000000000251E000-memory.dmp

Filesize
25.2MB

Download
memory/4468-678-0x000002A0CA440000-0x000002A0CA484000-memory.dmp

Filesize
272KB

Download
memory/4468-600-0x000002A0C9F50000-0x000002A0C9F72000-memory.dmp

Filesize
136KB

Download